Random Thoughts – Randocity!

President Biden’s Classified Documents

Posted in government, presidential administration by commorancy on January 15, 2023

architecture usa statue face

Biden is currently the sitting President of the United States. Let’s make this perfectly clear right from the go. Does a President of the United States have legitimate access to be in possession of classified documents? Yes, but let’s explore.

Republican Agenda

Ever since the Department of Justice (DOJ) has begun investigating Donald Trump for a number of alleged wrongdoings, the Republicans have treated Biden as if he is in the wrong. While the DOJ does operate as part of the Federal Government, it is an autonomous entity not under direct control of the White House. While the White House, or more specifically President Joe Biden, can agree or disagree with the DOJ’s handling of matters, his opinion is not relevant to that department’s investigations.

Let me even clarify the heading of this section. The ‘Republican Agenda’ specifically refers to the MAGA Republican agenda, a small sect of the overall Republican party that is extreme in all aspects and is willing to take their agendas to extremes. These specific Republicans are unwilling to compromise, hold firm on conspiratorial ideals, wish for the government to topple and are doing their level best to instigate a civil war. This began under Donald Trump. Like the other MAGA Republicans, Trump also holds unrealistic and extreme points of view; points of view that are dangerous to Democracy and, frankly, to the rest of the world.

These MAGA extremist points of view may ultimately be the undoing of not only American Democracy, but unravel America itself. Meaning, the United States Government may be on the verge of disappearing if MAGA get their way… and with it, not just America, but the economies around the rest of the world. In other words, America’s economy is so intertwined with the rest of the world economies, if America falls, so will many other countries, likely including China and Russia. MAGA Republicans are playing with fire.

Mainstream Media

Unfortunately, mainstream media is helping this MAGA agenda along by pushing stories that further these MAGA narratives; narratives that only serve to undermine Democracy, but also undermines all of the foundational democratic institutional glue of the United States Democracy including the judicial system, the executive branch and the legislative branch. There is no branch of the US government that is not currently under internal siege by these MAGA extremists.

Mainstream media is making this situation worse by perpetuating and perpetrating fraudulent stories on the unsuspecting public (Democrat, Republican or Independent).

Stupidity Runs Rampant

One thing that’s become abundantly clear is that stupidity is running rampant throughout far too many MAGA Republicans. Yes, even from people who’ve been elected to government positions. These people have demonstrated they are severely under-educated and do not possess the cognitive or critical thinking skills to understand fact from fiction from fabrication. These are people who that when told something by someone even slightly trustworthy (to them), they believe every single word as though it were written as gospel in the Bible.

Mainstream media is taking full and complete advantage of this fact and are now writing not only extreme propaganda articles, they’re writing the absolute worst form of tabloid garbage. Case in point. Dailymail writes this entirely propagandistic article: THIRD batch of files found at Joe Biden’s Delaware home.

By ‘files’, this article means “classified documents.”

Presidential Power and Classified Documents

As the duties and powers confer to the duly elected President of the United States, that elected individual is given absolute clearance over the documents presented to him and created by him. This means that as President and while remaining the sitting President, that President inherits all clearance levels needed to perform and execute his or her duties as President of the United States.

This clearance level includes possession of and creation of classified documents at any level needed to perform those duties.

It also means that wherever the President chooses to work, classified documents are likely to be present, either previously created by someone else or, indeed, created BY the President of the United States himself as part of his job responsibilities. Having this clearance level is entirely part of being President of the United States.

Possession of Classified Documents as a Crime

To circle back around to that insanely stupid Dailymail article, it attempts to insinuate that Biden somehow should not be in possession of said documents. The President needs to be in possession of whatever classified documents allow him to perform and execute his responsibility as President of the United States. There is no crime here. Biden is not a criminal for being in possession of such classified documents.

Let’s liken this situation to Donald Trump. After Biden was sworn into office as President of the United States, Donald Trump became an Ex-President or if you prefer, a former president. As a former president, each former President gives up their role as sitting President including giving up access to various classified top secret documents.

Donald Trump was found to have been in possession of said documents at his Mar-A-Lago residence. However, the stark difference between Biden and Trump is that Biden is STILL the sitting President of the United States and still possesses the rights to own, hold, read and manage classified documents. Ex-President Trump, on the other hand, no longer holds the right to own, hold, read or manage such classified documents.

Questions without Answers

The question surrounding Trump is whether the documents were duly and properly declassified prior to those documents landing at Mar-A-Lago. As an Ex-President, Trump no longer holds the power to declassify such documents after leaving office. Biden, as President of the United States, still holds the power to declassify any document he chooses.

Thus, any such rousting by the Dailymail to make it appear as if Biden is somehow in the wrong or has performed a crime, there’s a simple Presidential fix. Biden, as President of the United States, can immediately and instantly declassify any and all such documents in question, leaving the people trying to make Biden look bad standing firmly with egg plastered on their faces. The President can nullify any such alleged criminal situations.

Biden being in possession of classified documents is not only NOT a crime for Biden, it’s actually part of his responsibility as President of the United States. As I said, stupidity reigns supreme with the MAGA Republicans.

Smart or Not?

The question comes down to NOT whether Biden’s possession of such documents was (or is) illegal, but whether it was a smart idea to leave them in his Delaware home. That’s the only situation that has any problems for the Government. Biden firmly has every right to BE in possession of those documents. The problem is only if those classified documents remain in the home unsecured when Biden is not actively there.

No, it’s probably not the smartest of ideas to leave such documents unattended. So long as there is sufficient security at the home to protect that home from intruders, and one would hope that as a sitting President, his home would be not only duly protected by active armed security forces, it would be outfit with an active security system. Even then, so long as the documents were placed into a properly secured safe or other such similar and nearly impenetrable storage unit, then the documents are considered properly secured even at his Delaware residence.

If someone who accessed Biden’s premises managed to gain access to such documents and read them, the illegal activity is actually on the people who found and read the documents. It is illegal for those people searching for them to be reading those documents, not Biden. Meaning, it is THEY who should be arrested for reading Biden’s classified documents.

Biden’s Desk

It gets worse. Any document that Biden writes while sitting at his desk could be considered instantly classified from the moment the pen hits paper. This means that finding a piece of paper with writing sitting on top of any desk, surface or object within Biden’s home could always be considered classified at some level. That means that anyone reading such documents without any clearance level granted could be considered having committed a crime. Not Biden, mind you, but the reader.

If there’s a crime having been committed here, it’s the people who infiltrated Biden’s home to find such classified documents. That means that the United States has a major security problem on its hands around Biden’s home.

If people (likely MAGA Republicans) are so easily able to penetrate the President’s residence to find such documents, security is no where near where it should be for that residence. This is clearly both a crime called breaking and entering and possibly even stalking.

Biden’s Security

Someone on Biden’s security team needs to quickly ferret out who gained access to the Biden Delaware home and how they managed to gain that access. This is a question no one is asking. However, this is a serious security breach at the top levels of government. No one should have access to Biden’s home with the exception of the Biden family and the Presidential security detail. All others should not be allowed onto the premises unless under escort by said security and only when a member of the Biden family is present. Otherwise, the Biden house should be firmly and completely secured and barred from entry except for Biden family members only. In other words, “Houston, we have a problem.”

Apples to Oranges

Let me get to the heart of why this all matters. Someone or several someones in the MAGA Republican party is simply trying to craft an illusion that appears like Trump’s classified document situation. This crafted situation is intended to make it seem like there’s something hypocritical going on. Except, there isn’t.

The only way the same situation between Trump and Biden can unfold is only after Biden leaves office as President. Only then can Biden be held accountable for holding onto classified documents at a personal residence.

While Biden remains a sitting President of the United States, he is a duly sworn officer of the United States Government and remains in power with all of the duties, responsibilities and, yes, clearances needed to perform that job.

On the other hand, Trump lost those powers, duties and clearances the moment he left office as President. For this reason alone, there is absolutely no comparison here.

Trump’s legal woes over classified documents remain. Donald Trump has no right, power or clearance to hold onto such still classified documents at his Mar-A-Lago residence. Biden, on the other hand, still holds every right, power and clearance to BE in possession of such classified documents wherever he chooses to work.

What Trump has done may be found to be illegal. What Biden has done (and continues to do) is perform his duties as sitting President of the United States. Until Biden leaves office, no crime has been committed involving classified documents. Dailymail, your article is a red herring and it’s damaging America.

Mainstream Media Stirring the Pot

Such articles by the likes of Dailymail only seek to stir the pot of dissent. They use people’s stupidity against them by making it seem like someone is in the wrong when clearly they are not. Thus, it only comes down to the editors and producers of said articles earnestly trying to undermine Democracy by making something appear as illegal when it clearly is not.

What Trump has done may very well be illegal and that remains to be seen by the investigations the DOJ is performing. Biden has done nothing yet illegal, but it might not be the brightest of ideas leaving such documents lying around in the open. Joe Biden, buy a proper document safe.

However, the question remains, how did someone gain access to Biden’s Delaware home to find such documents? No one should be allowed on the premises without Biden’s or his Secret Service detail’s authorization.

Something around Biden’s situation is clearly amiss, but it has nothing to do with classified documents. No one is investigating this.

Dailymail Comments

Reading some of the entirely misguided and, dare I say, stupid comments I’ve read on that Dailymail site, it’s clear that stupidity reigns supreme among MAGA conservatives. It’s like MAGA Republicans check their brains at the door when they walk into a room. They want to find anything and everything to attempt to discredit and, ultimately, impeach Biden. They are even willing to attempt to turn Biden’s daily and standard Presidential duties into a criminal activity.

While impeachment (using whatever junk they can fabricate) may be possible with the House now under Republican control, there is absolutely no way the Democrat controlled Senate will ever vote to convict and remove Biden from office. The MAGA Republicans know this, but they’re still trying quite hard and stupidly to discredit Biden. The only thing the MAGA Republicans are doing is making sure they never ever get elected again.

That’s the reason for such lame and stupid arguments as in this insipid Dailymail article allegedly finding classified documents at Biden’s residence. I’d honestly be more surprised if there WEREN’T classified documents found at Biden’s residences.

Planted Documents

Some have also supposed that the documents were planted by Republicans. While anything’s possible with MAGA extremists, they wouldn’t need to plant classified documents at Biden’s residence. Biden has been actively working at this residence and it makes perfect sense that some classified documents might remain there.

The question isn’t whether the documents were planted or even why the documents are there, but how someone managed to infiltrate Biden’s residence to find them? Why was someone snooping about Biden’s property? How did they get in? Why were they reading said classified documents of a sitting President without permission? These are bigger, more important security questions that need to be addressed… especially by Biden’s Secret Service Detail.

Vice President Documents

To close this article, you’ll notice that I didn’t mention the fact that these documents were from Biden’s time as Vice President until just now. Why is this fact not important? It’s not important because very likely there’s no way to establish exactly when the documents landed at Biden’s Delaware home. The presumption is that these documents landed at his home prior to Biden becoming President. We can’t know this.

Unless strict chain of custody for ALL classified documents is maintained, including exact dates when said documents changed hands, there is very likely no way to verify the exact date any specific document ended up at Biden’s home. Additionally, as President, Biden might need access to classified documents back from his a time as Vice President to handle matters occurring today. For this reason, he could have requested those documents and brought them to his home WHILE PRESIDENT… which is perfectly legal.

Finally, I’ll also point out that while the DOJ is investigating these documents found at his residence, they will likely exonerate Biden over all of the above points. I also hope that someone at the DOJ is smart enough to point out the security flaws and weaknesses with people snooping around Biden’s home in search of such documents… which honestly discloses the much, MUCH bigger problem here.

Let’s Suppose

Even if it’s possible to establish the documents were kept at the Biden residence prior to Biden becoming President, the fact that he is NOW President of the United States overrides that problem. The fact that he has clearance NOW overrides his possession of them when he wasn’t president and wasn’t vice president. Let’s take this one step further. The only way this information can truly be used against Biden is at an impeachment hearing.

The DOJ cannot easily (or possibly at all) bring criminal charges against a sitting President of the United States for activity prior to his being in office. The US Constitution is crystal clear on how to remove a President from office and that is strictly through impeachment and conviction via the House and Senate. That same constitution is entirely silent on bringing criminal charges against a sitting president and, up to this point, so has the Supreme Court remained silent on this point.

Political Stunt

This update is from Feb 4th, 2023. I’d like to point that in the same form as Republicans always like to call out against the Democrats, the Republicans are now guilty of doing exactly the same thing TO the Democrats. This whole situation is born out of a Republican agenda to discredit the Democrats. The point in “lawyers” “finding” documents at Biden’s home is strictly for the purposes of trying to weaken any DOJ case against Donald Trump.

The point here is that Donald Trump wants leverage when a DOJ lawsuit is finally brought against him (DJT). Trump can now point to Biden as an example of “the same classified document situation” and then ask why Biden is not being brought to justice over having similar documents at his house.

Let’s summarize the primary differences here:

  1. One is president, one is not…
    • Biden is the sitting President of the United States.
    • Donald Trump is NOT president.
  2. When exactly the documents arrived at the dwellings in question…
    • It cannot be established when Biden’s documents arrived at Biden’s Delaware home (i.e., before or after his presidency).
    • Donald Trump’s documents definitely arrived at Mar-A-Lago AFTER Trump left the White House and was, thus, no longer President and no longer held clearances high enough to possess some of those supposedly (de)classified documents.
  3. Level of Classified Documents…
    • Biden’s documents were from a time when Biden was Vice President. It has not been established the level of classified documents involved, but likely were NOT the highest levels of top secret.
    • Allegedly, some of Trump’s classified documents involved documents so Top Secret, they could not be declassified by a sitting President under any circumstances.

These three basic points are what the Department of Justice must establish against both Biden and Trump. However, Biden is still the sitting President. Even if the DOJ were to find criminal actions  allegedly involving Biden, his being President overrules that criminal action. It is unlikely Biden can have any criminal actions brought against him while he is sitting President of the United States.

The only action afforded against a sitting President is those powers given to Congress to impeach (House) and convict (Senate) the President. Even then, these powers are political in nature, performed by politicians, not judicial actions performed by a justice or jury. In other words, there is no other actions available to the government against a sitting President.

The DOJ could hold its legal actions against Biden until Biden is no longer President. As long as Biden remains President, he is shielded from criminal actions by the DOJ. That doesn’t preclude individuals from suing Joe Biden in civil court, but the best that can be extracted from such civil actions is money. Civil proceedings are never criminal actions and cannot produce criminal consequences.

Difference between Biden and Trump

As for Donald Trump, his classified document case is fairly clear cut in most regards. The only real questions that must be answered around Donald Trump’s case is, “Were the documents actually declassified?” It is on the DOJ to establish whether or not some or all of the documents were declassified. If all of the documents were declassified, then there’s no case against Trump. If the DOJ had established this by now, then the DOJ would have already dismissed its case. It has not.

Further, it is also on the DOJ to prove that if some of documents couldn’t be declassified by a sitting President, then there is now a clear violation by Donald Trump in retaining those documents after becoming an ex-President.

Once the DOJ has established that Donald Trump had classified documents in his possession and that those documents were not declassified (and at what level), then it is on the DOJ to establish the level of crime that Donald Trump committed while by being in possession of said documents. After this point, it is, once again, on the DOJ to further ascertain if foreign nationals visited Mar-A-Lago (via registration at Mar-A-Lago and/or flight records and/or cab records and or rental car records) and determine if those visiting foreign nationals might have had access to said documents in Donald Trump’s possession.

Being in possession of classified documents is a separate crime (possession) from allowing foreign nationals access and, more importantly, to view and read such classified documents (espionage / treason).

The Department of Justice has a long road of research ahead for all of the above.

With Biden, possession of such classified documents isn’t currently a crime. Even then, the only way to try and convict Biden is through impeachment. With Trump, there is absolutely nothing shielding Trump against such criminal legal actions. Trump can try to point at Biden as an example, but Biden’s Presidential shield is pretty impenetrable. Trump has no such shield at all against DOJ actions. Even as much as Trump wishes to use Biden as a punching bag, it’s not going to work in the long run.

Once the DOJ chooses to bring criminal action against Trump, there’s nothing Trump can say, do or point fingers at that will reduce his liabilities… no, not even Biden’s having documents at his Delaware home.

Political Stunt Conclusion

And yes, the entire reason for Trump to use Biden as a “classified documents” punching bag is strictly a political stunt. It hasn’t even been established if the documents were planted at Biden’s residence strictly to facilitate this political stunt. Knowing Trump’s callous disregard for, well, just about any law in existence, there’s absolutely know way to know if Trump orchestrated this whole shenanigan against Biden. If I were working in the Government, I’d definitely begin an investigation over the lawyers who allegedly found these documents at Biden’s residence to find out what connections they may have to Trump…. see six degrees of separation.

Note: Randocity prefers using Reuters and the AP as sources whenever possible. These two news organizations have regularly proven to be mostly unbiased when reporting, unlike all major TV “cable news” networks.

Have a thought or idea to discuss? Please leave a comment below. If you like reading Randocity, please click the follow button in your mobile app or web browser.

↩︎

Tagged with: , , , , , , ,

leave a comment

Rant Time: Is Apple protecting our devices better than Google?

Posted in Apple, botch, business, Google, mobile devices, security by commorancy on August 20, 2020

While many people believe that Google’s App store is a far inferior store to Apple’s app store, there is also a misplaced belief that Apple’s store offers more propriety than Google’s Play store. We need to understand more about both ecosystems to better understand the answer to this article’s question. Let’s explore.

App Protection

Certainly, iOS appears to be more resilient to malware on the surface, but is it? Google’s Android also appears way more prone to malware on its surface, but is it? We need to understand more about both of these operating systems and each OS’s overall ecosystems.

Let’s understand better how and why Apple has garnered its appearance of propriety, with “appearance” being the operative word. The first reason that Apple appears to have a better system in place is primarily because iOS doesn’t allow side loading of apps. What is side loading? Side loading is the ability for the user to load apps outside of the Android app store, for example using a USB cable or, more importantly, by downloading an ‘APK‘ file directly to your device from any web site.

While there are means and methods of side loading apps on iOS, it can only be done through Apple’s developer toolkit. You cannot perform this process directly on a phone in the wild. You can’t even do it with iTunes. If you had even wanted to side load an app, you’d have to jump through some fairly complicated hoops to make that happen on iOS. Because of this one thing, this forces you to download ALL apps from the App store.

On Android, you can not only use the App store to download apps, but more importantly, you can side load them. Side loading an app on Android does require some security setting changes, but this change is easily done in about 3 simple steps.

Does side-loading account for all of Google’s malware?

No, it doesn’t. After all, there are many who likely haven’t changed the necessary side-loading parameters and have still been hit by malware. So then, how did the malware get onto their phone? Likely, through the App store directly.

One App Store

Here we come to the second reason why propriety seems to prevail at Apple. With Apple, there is one and only one app store. With Google, there are many, too many. Google not only runs Google Play, but there are many other App stores including:

  • Amazon
  • Samsung Galaxy Apps
  • Aptoid
  • Sony Apps
  • Huawei App Store
  • F-Droid
  • GetJar
  • AppBrain
  • SlideMe
  • 1Mobile
  • Opera Mobile Store
  • Appolicious
  • NexVa
  • Kongregate
  • Appland
  • Itch.io

These stores are all independently owned and operated. This is not a complete Android app store list, but it gives you an example of how many different app stores are available for Android. This is significantly different from Apple’s iOS, which only supports one app store and that store is operated by Apple and Apple alone.

There is no such thing as a third party app store for iOS. It simply doesn’t exist.

Multiple App Stores

Because of Google’s insane choice to allow many app stores to operate simultaneously by different companies, Android users are at the mercy of each of those app store’s propriety. The difficulty is, there’s no rhyme or reason or protection afforded by many of these app stores, let alone Google Play. The secondary problem is that some of these app stores come preloaded as the primary download store on some Android devices.

Clearly, Google branded devices come shipped with Google Play set up. Amazon devices some shipped to use the Amazon app store. However, no-named brand Android devices likely come shipped with one of the above non-Google stores installed. In fact, it could even be set up to a store not in the above list… a store operated by the manufacturer of the device.

Careful with that App

The difficulty with multiple app stores is one of, you guessed it, propriety. What I mean by using this specific word ‘propriety’ is the app store’s ability to police its content for completeness, functionality and, yes, malware. In short, propriety is a company’s ability to protect its download users from malware or dangerous software.

The difficulty is that while Google might have enough money to throw at App vetting to ensure higher quality apps reach its stores, not every store in that list has the money to afford that level of commitment.

What this means for consumers is, when you use a random app store, you take your chances with malware. Multiple stores combined with side loading is nearly the sole reason why Android gets a bad rap for malware. These two things are something Apple doesn’t do in its ecosystem. For Android, it’s worse still. As a consumer of a device, you don’t really know which app store is the default on your device. Most app store manufacturers properly label their apps, but cheaper devices made by random Chinese manufacturers tend to play games with naming and might name their app store app Goggle Play or Gooogle Play or even simply Play Store. There are many ways that manufacturers of cheap phone devices can trick you into thinking that you’re getting your apps from Google’s store… when, in fact, you’re not.

Not only are there too many app stores that can provide questionable apps, Android has been licensed by so many random Chinese manufacturers (okay, so perhaps licensed isn’t necessarily the correct word here… it’s more like, ripped off). Anyway, if you buy into any of these super cheap Chinese phone brands, you have no idea where your apps are really coming from. Although, because it’s Android, you should be able to load Google’s Play store (the real thing) and use those apps instead… with should being the operative word. The device manufacturer could have instituted a block to prevent the use of the Google Play store.

However, replacing a crap store with Google Play typically takes effort on the part of the consumer… that and knowledge that they must take this step. Most consumers are oblivious to this aspect of their phone’s use and naturally assume the included app store is looking out for their phone’s well-being and their own best interest. You should never assume this, not even with Apple devices.

Apple’s App Store

Here we circle back around to Apple. We are beginning to see why Android is in the state that it’s in, but how much better is Apple’s ecosystem of devices?

A lot of people believe that because there’s only one iOS app store and because Apple is the sole operator of that store that this somehow makes Apple devices safer to use.

Security through Obscurity

This is a phrase tossed around in the security communities. What it means is that because a platform is more obscure (more exclusive and closed), that that somehow makes the platform safer to use. Security through obscurity works maybe 10% of the time. Maybe. The other 90% of the time it’s less about obscurity and more about best practices.

For example, you should never load random apps from any store. It doesn’t matter if it’s Android or Apple. If you don’t know anything about the developer, you shouldn’t trust them. Why?

App Store Approval Process

Apple’s app store approves apps for release into the store based on specific usability criteria. For example, that the developer is not including terms-of-service restricted content or features. Restricted content being whatever Apple or Google or that specific app store deems off limits within an application.

The developer must verbally or on a written form affirm that their app does not contain such restricted content when submitting it for approval. Even then, Apple may or may not be able to verify such an affirmation. Basically, developers can lie and say their app doesn’t do something that it does, in fact, do. Apple and/or Google may not be able to see the app doing it until that specific set of code in the app is triggered. In other words, the app may appear totally genuine enough to pass Apple’s and Google’s store submission criteria.

We have seen some apps which have been released into the app store as a result of such affirmations only to be pulled from the store when it is found that the developer lied about what was affirmed and stated to have not been included in the app. Apple doesn’t take kindly to lying about app features, particularly when you can see the app doing things it shouldn’t be doing.

Apple is relatively quick on removals of offending content from its app store. Google Play and other Android stores may not be quite so nimble in this process. In fact, many of the third party stores may not even police their apps at all. Once it’s in the their store, it may be there more-or-less permanently. Apple is much more active and selective with maintaining that their apps are upholding developer agreements. However, there is a limit to even Apple’s propriety.

Epic Games

This is a recent fight between Apple and Epic Games. Epic Games apparently decided to change the way it utilized in-game purchases, which has since culminated in Apple rescinding Epic Games’s license to use Apple’s developer tools. Both Apple and Google have since removed Fortnite from their respective app stores citing violation of the store’s terms.

In-app payments require that developers hand over a portion of their profits to Apple and Google. However, there are ways of circumventing that by including outside payment systems in apps. I don’t know exactly what was included by Fortnite that triggered this specific problem, but apparently Epic wasn’t satisfied by Apple’s greedy in-app payment system and decided to take a stand.

Some may think this is about consumer protection. It’s not. It’s about Apple profiteering protection. Apple cites its terms that apply equally to all developers, but in fact, this specific condition is intended to maintain Apple’s profits. Yes, it does apply to all developers (well, almost all developers… see Amazon below), but it is also a condition that is unfavorable to developers and extremely favorable to Apple’s bottom line.

Ramifications

Apple picked a fight with the wrong company in this “epic” (ahem) fight. Epic Games also happens to be the developer of the Unreal game engine. This is a very widely used game engine throughout the gaming industry. It’s probably one of THE most commonly used engines, particularly on gaming consoles.

Without access to Apple’s iOS developer tools, this engine is effectively dead on iOS (and MacOS) devices. Worse, developers who rely on Unreal to drive their own iOS games may soon find that they have to find another game engine. These Unreal engine users may wake up to find their Unreal-based game removed from Apple’s app store as a side effect of Epic Games’s removal.

If Unreal can’t be supported, then neither can the games that utilize this engine. This Epic Games fight has deep reaching ramifications for not only Apple, but also impacts every iOS device owner and every developer that uses Unreal to drive their game. If that game you love was built around Unreal, you may find that app no longer available in just a few weeks.

If you have the app downloaded onto your device, you can still use it. Bought a new Apple device? Well, don’t expect to cloud download that app again if it’s been removed. You’ll need to rely on iTunes backup and restore instead of Apple’s cloud storage… which relies on downloading the app again from the app store. If it’s been removed, the app will be unavailable. Only backing up and restoring through iTunes will recover apps you presently have on your phone device and which are no longer in Apple’s app store. Didn’t do this? Oh, well. That app is gone.

Apple’s Ramifications

Apple’s once burgeoning gaming section may soon become a ghost town. Maybe this is an exaggeration, but maybe not? Let me explain. The loss of the Unreal engine from the iOS platform is a huge blow to iOS game developers worldwide. It means game developers must either now build their own engine instead (to avoid such engine removals in the future) or rely on another gaming engine that supports iOS (at the peril of it being removed in the future).

Apple is effectively “Cutting off its nose to spite its face”. In other words, Apple has most likely done more long term damage to its own brand and products than it has done in short term damage to Epic Games. Sure, Epic’s loss of Fortnite on iOS is a big loss to Epic, but Apple’s loss of the Unreal engine is a much, much bigger problem for Apple.

If developers can no longer turn to the Unreal engine for use on iOS, then that means fewer games will be developed for iOS… at a time when iOS doesn’t need this gaming speed bump. Fewer games developed means fewer game apps in the app store. Fewer game apps means less revenue for Apple. Basically, Apple’s loss of revenue from cutting off developer access to the Unreal engine will come back to bite Apple hard in the ass.

Apple relies on that in-app revenue for its continued operation of the App store. If that revenue dries up, well so too will iOS devices while also undercutting MacOS notebook sales. It’s not just about Fortnite here. It’s about every iOS game using Unreal that also uses in-app payments legitimately. People won’t buy into a mobile platform when they can no longer find and play their favorite games, particularly if those games are on other platforms. The loss of the Unreal game engine is a big deal to Apple. Considering Apple’s paltry 10-13% mobile device market share as of 2019 (and shrinking), killing off development tools that bring revenue to the platform should be a big deal to Apple, one would think.

However, there are still other game engines that developers can use, such as Unity, BuildBox and AppGameKit. With the loss of the Unreal engine, of which many, many games are built on consoles, that means straight ports of well recognized and popular console games to iOS will become almost impossible. Very few console developers choose Unity and none use BuildBox or AppGameKit.

If Apple was hoping to pull over the bigger console titles onto iOS, they’ve just lost that opportunity by kicking Epic Games off of their platform. No console developer will spend several years porting their Unreal based game to Unity or one of the other game development kits. Without Unreal on iOS, the much larger money making console games will forever be locked out of iOS, simply because of Apple’s stupidity.

Instead of trying to work through a compromise with Epic Games over this issue, they simply pulled the plug. They’ve “thrown the baby out with the bathwater”. They’ve as I said above, “Cut off their nose to spite their face.”

Apple’s Stupidity

This is a huge blow to iOS devices and to consumers alike. Within the next year or so without Epic Games support on iOS, Apple’s gaming community is likely to dry up. Games like Fortnite can no longer come to exist on Apple’s platform because of the loss of the Unreal engine.

There is a bigger danger to using a third party game engines for iOS games. If you, as a developer, settle on a third party game engine and that engine developer has a fight with Apple thus causing their developer licenses to be rescinded, just like Epic Games, you could see your game pulled from the store or, more importantly, obsolete by the next yearly iOS release. This whole Epic fight has some serious ramifications to the gaming industry.

I guarantee that with Epic Games being pulled from the Apple platform and if this is allowed to stand going forward, Apple’s usefulness as a gaming platform will greatly diminish. Not instantly, but definitely over time. It will definitely erode confidence in iOS and MacOS as a gaming platform.

Lest you think I’m being overly dramatic, I suggest you look at this very long Wikipedia page and see the list of games produced using Unreal for consoles, specifically Unreal Engine 4. Every single one of these games had the potential of making their way to iOS or even MacOS. This hope is now lost. The loss of the Unreal engine on Apple’s ecosystem is a loss to the entirety of Apple’s devices.

If Apple had designs of getting into gaming, they summarily lost that hope in one fell swoop. What’s worse is that other game developers may follow suit and voluntarily pull their engines from Apple’s devices as well, leaving only the smallest and crappiest of game development engines available for iOS devices… firmly dragging Apple’s devices back into the stone age for gaming. The best you can hope are the silly finger swipe games that leave you bored in less than 15 minutes.

Sure, Bethesda, Ubisoft and Activision may continue to maintain their proprietary engines on iOS and MacOS for their specific games, but up-and-coming and existing Unreal console developers alike have lost any iOS portability inroads they might have seen on the horizon.

Though, I suppose this situation is a win for Sony’s PlayStation and Microsoft’s Xbox consoles… and consoles in general.

Epic Games Ramifications

I would be remiss without discussing the ramifications to Epic Games, also. Certainly, Epic Games has lost a huge platform for both Fortnite and the Unreal engine … well, two with the additional loss of Google’s Play store. Though, I don’t think that Google has yet rescinded Epic’s developer license for Android. As a result, would-be game developers considering which engine to choose will not choose Unreal if they have eyes on iOS, MacOS or possibly Android (depending on how far Google takes this). For game developers who’ve already chosen Unreal, it’s probably too late to undo that choice. Game developers in the planning stages can reconsider which engine to choose.

Epic Games Unreal engine may not fall out of favor with the game development community. It was formerly an engine developers could rely on, more specifically for a wide range of platform support. With the loss of iOS and Android, that leaves a big hole for the Unreal engine, and Epic Games. That’s basically the loss of every mobile platform! Epic Games chose this battle by not wanting to follow Apple’s greedy rules.

Honestly, I don’t blame Epic. Amazon fought with Apple over these very same rules a long while back. Amazon chose to remove all ability to buy anything via their apps. Though, the Amazon app seems to have regained its ability to purchase junk, but I’ve no idea how they’ve worked this with Apple. Epic should cite Amazon app’s ability to purchase products using a third party payment processor. If Amazon can do this, Epic should be able to as well. It seems that even Apple isn’t following its own “all developers are equal” rules.

Tim Sweeney, Epic Games CEO, should call out this incongruity in Apple’s “equal” application its app store terms and conditions. If Epic Games is violating Apple’s purchasing rules, then so is Amazon… and so is any other company who is able to offer purchases using their own third party payment processor.

However, that doesn’t leave Epic Games without problems. Without iOS and Android for not only Fortnite, that leaves a huge revenue stream hole for Epic Games. That’s the downside for Epic. That and the loss of being able to license the Unreal engine to would-be iOS and potentially, depending on how far Google takes this, Android developers.

TikTok and WeChat

Beyond Epic, there are other problems brewing at Apple. The problem with Apple’s app store is that it will accept and publish apps from any developer from any part of the world. Yes, even communist bloc countries like China and Russia.

What does this mean for you as a consumer? It could mean spying, malware and theft of your data. Apps like WeChat and TikTok originated in China. These are apps that were intentionally designed and released by Chinese people who live in China and who have no ties to the U.S. and who don’t care about data privacy, your data or anything else about you. They don’t even have to follow United States laws. They want your money and they’ll do whatever they can to get it. They don’t care if they have to step on your toes (or turn on your camera and microphone at inappropriate times) to do it.

Apple has been entirely remiss in this area of vetting apps. Can we trust apps developed and produced entirely in China or Russia? Yet, Apple has published these apps to the App store and still allows them to remain in the store. But… Epic Games, a U.S. based game developer, can’t keep their app in the store because of silly in-app purchases? It’s perfectly okay to allow apps to spy and steal data for communist bloc countries, but it’s not okay for a U.S. developer to want to use a third-party payment processor. Yeah, Apple’s priorities are entirely effed up.

Apple’s values at this point are entirely suspect. What Apple has done to Epic is retaliation. It has nothing to do with propriety or consumer safety. It has to do with ensuring Apple’s revenue remains intact. If it were about consumer safety, Apple would have not only re-reviewed WeChat and TikTok for appropriateness the moment the President called them out, they would have been removed from the store.

This is where we learn Apple is not about propriety, it’s about making money. Losing the ability to make money from Fortnite (and by extension the Unreal engine) is way bigger of a deal than allowing Tencent and ByteDance to use their respective apps to potentially spy on U.S. consumers.

Here’s where consumers get lost in the mire and murk of it all. Apple’s silly hide-everything-from-everyone ideals allow this sort of behavior from developers to fester. Developers get to hide behind Apple’s veil of secrecy and “wall of friendliness” so that apps like WeChat and TikTok can flourish without consumers being the wiser.

Yet, here we are. Chinese and Russian apps are infiltrating Apple’s store with careless abandon, some of these are taking the Internet by storm, like TikTok. ByteDance rolled the big one with TikTok and now they can roll out spying measures if they wish, assuming they haven’t already.

I look on anything coming out of China as suspect. Most products coming out of China are third rate products that fall apart as soon as you sneeze on them. Many are counterfeit or are a stolen designs from an original product created outside of China. Clearly, China’s ability to innovate is limited. Instead, Chinese engineers must reverse engineer an existing design that originated outside of China only then to build their thing based on that existing design. Copying is said to be the highest form of flattery, but in this case it’s intellectual property theft.

With products that don’t need the Internet, such as a toaster oven or a microwave or a fridge, other than their possibility of falling apart or harming you physically, they can’t steal personal data or spy on you. Like physically harming you with junk appliances from China, downloading apps from an app store can be equally harming to you. They can steal keyboard input, turn on microphones and cameras at inappropriate times, grab your photos… they can even monitor which apps you use and watch your movement around the city via GPS on your phone. There’s so much data they can collect about you, including the contacts in your phone book.

By installing one of these communist bloc apps, there’s literally a mountain of data they can learn about you from your device. Spying? That’s literally an understatement.

Apple has given the communist bloc countries carte blanche access to U.S. owned devices through iOS. Google has done the same with Android. Worse, both Apple and Google are doing absolutely NOTHING about this. Treason by U.S. companies? That’s an understatement. They not only allow these apps to be published, they’re endorsing them… and some of Apple’s and Google’s own developers may even be using these apps personally. Talk about inception.

Spying

Spying was formerly thought to be about covert operatives running around gathering intel with crude and rudimentary devices in black garb. Today, it can be done in broad daylight using every person’s very own cell phone right in their hand.

Need access to listen in on a conversation at a specific GPS point… I can just hear someone say, “Let’s see which of our apps are on devices close to that location.” Yeah, this is a real thing. Simply enable the microphone and possibly even the outward camera and BOOM, you’ve got access to immediate intel relayed instantly back to you in real-time.

Yeah, that’s the danger of social apps like TikTok and WeChat. They can be used to eavesdrop on anyone anywhere. You only need to give access to the camera and microphone and boom, they’ve got access anywhere the app owners wish.

Apple can thwart this possibility potentially, but only if they add some heavy restrictions for when and how these devices may be used. Like, for example, these devices can only be enabled when the app is the front most active app and the screen is on (i.e., the user is accessing the screen). Even then, access to these devices should always require positive confirmation to use them every single time. Without positive confirmation, these devices cannot be enabled remotely.

Otherwise, spying is already here. Nefarious apps can listen in on what you are doing without your knowledge. They may even be able to switch on the camera and stream video data back to whomever. Yeah, bad news here.

Malware

Many people think malware means software that intends to cause malicious harm to your device. It doesn’t only mean that. Malware covers a lot of territory including spyware, malicious software, ransomware and many, many other types.

Any type of software designed to subvert your device for someone else’s use is considered malware. Don’t limit your thoughts to only software that intends to erase or destroy data. It doesn’t end there. It begins there. It ends with any software of malicious intent, including any software that is designed to spy on you, steal your data, copy data from your device or attempt to get you to do things that might compromise not only your phone, but also your personal finances.

However, the days of overt malware are firmly over. Now we’re seeing a new wave of software that makes itself appear legitimate by offering seeming legitimate services, but which have malware belying that happy-go-lucky façade. It’s the software version of social engineering. They trick you in believing you’re getting a real legitimate app, but underneath, these apps are doing things they shouldn’t be doing.

This is a new wave of bad news rolled into one app. No one can know the ultimate intentions of an app producer. Hopefully and trustingly, we put our faith into the developers hands to “do the right thing”, to be upstanding and give us an app that does only what it claims.

Unfortunately, we’ve moved into an era that’s now firmly gone beyond this. If you’re getting an app from a U.S. developer, you can pretty much be assured that what the app says that it does, it actually does do… and nothing beyond that. That’s a given because U.S. companies must follow U.S. laws. With apps coming from China or Russia or Cuba or Vietnam or even North Korea (don’t kid yourselves here), you have no idea what their ultimate motives for producing that app are. Worse, they are not required to follow United States laws. Yeah, and that’s the problem in a nutshell.

Apple and Google’s trusting nature

These communist countries not only see the dollar potential wrapped up in these apps, but they also see the spying potential above the dollars. Not only can they divert U.S. dollars outside of the country to fund who-knows-what, they can steal your data and spy on you, too.

Why? Because Apple and Google are far too trusting and let them do it. They believe that developers will be good neighbors and not do untrustworthy things. Apple and Google are both trapped into believing that everyone will follow United States laws. Naïve! Unfortunately, that trusting nature is now being used against both Apple and Google… though, Google more than Apple by these communist countries. Google devices way outpace Apple’s devices in market share. In 2019, Apple’s devices made up just ~13% of the market, where Google’s Android devices made up a whopping 87%! Together, Apple and Google make up close to 100% of the market, with the small remaining percent running other mobile operating systems (yes, there are a few).

For Google’s saturation reason, it’s no wonder why malware authors are targeting Google over Apple. It’s a simple matter of low-hanging fruit. Google’s fractured stores and litany of device problems has led to where we are. Malware authors can have a field day with Google’s devices because they can take advantage of these tinier stores with much reduced release restrictions. It’s easy, then, for small indie developers to release malware onto Android… far too easy. It’s much more difficult to do this same thing on Apple devices. That is, until you realize exactly how developers are outwitting Apple’s far-too-trusting nature.

Once not-so-upstanding developers understand they can disguise malware underneath a legitimate service, they can then push that service out to app stores (with Apple’s blessing) and get people to use it, in similar form to TikTok. In fact, perhaps the app was even released without the malware to have the appearance of propriety (and to pass Apple’s initial scrutiny). Then, after enough momentum has been reached, the app developer can then slowly release updates containing bits of malware at a time. As far as I know, Apple doesn’t put the same level of scrutiny into app updates as it puts into new app listings. Apple’s hands off approach to updates means the author can slip bad features into updates under Apple’s and our noses and none will be the wiser.

Security Considerations

You always have to really think 🤔 about what apps you have installed and why you’ve installed them. More than that, you need to find out who specifically is developing your apps and where they are in the world. You might be surprised to find that the author doesn’t live in the country where you reside. If the author isn’t in your country of residence, they don’t have to follow your country’s laws for, well, anything.

Of course, you never know what an app author intends by writing and releasing an app. Even the money making aspect on the surface may not be the actual agenda. Hopefully, the app’s purported use case (making money) is the only reason the app exists. Unfortunately, subversion seems to be becoming more and more common in apps, particularly those that may not be developed in the same country where you reside.

For example, someone who develops an app in China doesn’t have to follow the laws of any other country than China. Meaning, if the app developer decides to include spyware, no laws will apply to that developer other than Chinese law. Even then, since they weren’t spying on Chinese citizens, they likely won’t be seen as having violated any Chinese laws… even when spying on citizens in other countries. Because the U.S. can’t apply laws to Chinese citizens, any spying that may have taken place is damage already done. The only action that can be taken is banning the app entirely from the U.S., just as Trump had wanted to do with TikTok.

Every mobile device user must remain on their toes. You can’t assume that Apple’s closed store nature will protect you from spying or data theft (all forms of malware). Apple is way too naïve for that. Instead, you must do the research yourself. Determine who develops an app you intend to install. Find out where they live in the world. If they live in a country where you do not, your local laws will not apply if the developer includes illegal activities in your place of residence. This means they can do a lot of nefarious things and never be caught at it, particularly if they live in a country like China.

If you want to safeguard your own data, don’t install apps without knowing where the author lives. No, not Android and not even on iOS devices. No, not even on… and especially not on company owned devices.

In this day and age of anyone and everyone who can design and build an app basdd anywhere in the world, we’ve firmly come to a time where our devices can be used to spy on us and those around us simply because we’ve installed a random app.

It’s now only a matter of time before government policies catch up with this technology trend and new laws begin emerging which intend to hold device owners responsible for treason when an app spies on and funnels data outside of your country of residence.

In answer to the article’s primary question. No, neither Google nor Apple is better at protecting our devices from malware. However, while the overt malware may be less common on Apple devices, Apple’s and Google’s trusting nature is now firmly subverting our devices for foreign spying activities… particularly when these apps are designed to intentionally use the camera and microphone.

↩︎

Tagged with: , , , ,

leave a comment

Security Tip: Spam, Bitcoin and Wallets

Posted in advice, banking, cryptocurrency by commorancy on April 22, 2019

BitcoinIn writing this blog, I encounter a lot of different spam comments every single day. None of this spam reaches the comment area of any blog article because of moderation and spam filtering. However, every once in a while I see a spam message that catches my eye and I feel the need to write about such traps. Let’s explore.

Today’s Spam

Today, I found this spam message and it spurred me to write this blog article:

Invest $ 5,000 in Bitcoin mining once and get $ 7,000 passive income per month

This sounds like a great deal, doesn’t it? Of course, this spam message arrived complete with a link to a website. I’ve redacted that part of this spam. The text is the most important part (or rather, the sleaziest part) and what I intend to discuss in this article.

Let’s dispel this one right away. You cannot invest $5,000 into a Bitcoin mining rig and get $7,000 a month in passive income. This is not possible. First off, Bitcoin is entirely volatile so values vary every minute. Second, you have to place your mined Bitcoin into a wallet somewhere. Third, a compute rig requires electric power, air conditioning and internet services requiring you to pay bills every month. Fourth, the maximum you could mine per month is a fraction of a Bitcoin.

Most mining rigs are lucky to make any money at all considering the electric bill cost alone. You must also pay your Internet service as Bitcoin mining requires regular check-ins with its sites to transfer the data processed during mining and download new data. Both the electric and internet bills are not at all inexpensive to own and will substantially reduce the value of any Bitcoin you might mine. There are also exchange fees to convert your Bitcoin into US Dollars (or vice versa), which will eat into the profits of your mined Bitcoin.

Mining

Bitcoin mining seems like a great thing. In reality, it is far from it. As I mentioned above, you need to not only invest in a specialty computer rig designed for Bitcoin mining, you also need to supply it with electrical power, heat dissipation (A/C or a fan) and internet service. In exchange for “mining”, you will occasionally receive tiny fractions of Bitcoin (when the bits align just right). When Bitcoin first began, the amount and frequency of Bitcoin given during mining was much higher than it is today. Worse, mining of Bitcoin will see less and less Bitcoin issued as time progresses. Why?

Bitcoin is a finite currency with a limit on the maximum number of coins ever. Once the coins are gone, the only way to get a coin is by getting it from someone who already has one. Even then, there’s a problem with that. That problem is called ‘end of life’ and, yes, even Bitcoin has an expiration date.

But… what exactly is “mining” and why is it a problem for Bitcoin? Mining is not what you think it is. This word imparts an image of men in hardhats with pickaxes. In reality, mining isn’t mining at all. It is a collective of computers designed to compute the general ledger of transactions for Bitcoin. Basically, each “mining” computer takes a small amount of potential ledger data given to it by an “authority” and then solves for the equations given. This information is handed back to the “authority”. The “authority” then compares that against all other results from other computers given the same data. If a consensus is reached, then the transaction is considered “valid” and it goes into the ledger as legitimate. This is the way the currency ferrets out legitimate transactions from someone trying to inject fake transactions.

There’s a lot more to it, but this is gist of how “mining” works. In effect, when you set up a mining computer (or rig), your computer is actually performing transaction validation for Bitcoin’s general ledger. In return for this calculation work, your computer is “paid” a very tiny fraction of Bitcoin… but not nearly enough to cover the real world money needed for the 24/7 constant computing. A Bitcoin payment is only issued during mining IF the calculation solves to a very specific (and rare) answer. And so begins Bitcoin’s dilemma…

Basically, if you take all of the fractions of Bitcoin you receive over a year’s worth of 24/7 general ledger computing, you might be lucky to break even once you take your electric and internet bills into account. However, you are more likely to lose money due to the rare incidence of solving the equation for payment.

Additionally, to store those fractions of Bitcoin from your mining activities, you’re going to need a wallet. If your wallet is stolen, well that’s a whole separate problem.

Bitcoin Logistics

Unless you’ve been living under a rock, many crypto wallets and companies that store wallets are entirely insecure. They “think” they are secure, but they’re not. They’re simply living on borrowed time. Too many wallet companies (and wallet technologies) have been hacked and have lost Bitcoin for many people. Because of the almost trivial vulnerability nature of a crypto wallet, owning Bitcoin is almost not even worth the risk. We’re not talking small amounts of Bitcoin lost. We’re talking tens of thousands of dollars “worth” of Bitcoin gone *poof* because the companies / wallets were hacked and Bitcoin emptied.

While there might be some reputable and secure wallet storage companies, you have no idea how secure they really are. Because it’s cryptocurrency, once the Bitcoin has left the wallet, there’s no way to get it back. It’s the same as if someone stole your wallet out of your pocket or purse. Once it’s gone, it’s gone.

Further, because Bitcoin’s wallet technologies are so hackable and because it holds real world value into convertible fiat currencies, like the US Dollar (and other currencies), there’s a real and solid motivation for hackers to find ways to get into and pilfer Bitcoin wallets from unsuspecting owners.

The Downsides of Bitcoin

As a miner, you’re paid in Bitcoin. Bitcoin has limited uses in the real world. There are some places that accept Bitcoin, but they’re few and far apart. Most places still only accept the local currency, such as the US Dollar in the United States. For Bitcoin to become a functional currency, it would need to be heavily adopted by stores and businesses. Instead, today most places require you to convert Bitcoin into the local currency. This is called exchanging currency and usually incurs fees for the exchange. You can’t put Bitcoin into a traditional bank. You can’t use it to pay most bills. Any business wanting to remain in business would need to convert any Bitcoin received into USD or similar. The conversion fee could be 1%, 2% or up to 10% of the transaction. There might even be a separate fixed transaction fee. These fees begin to add up.

All of this reduces the value of Bitcoin. If one Bitcoin is worth $1000 (simply used as illustration), you could lose up to $100 of converting that single Bitcoin to $1000… making it worth $900. Because Bitcoin is entirely volatile, a Bitcoin worth $1000 today could be worth $100 tomorrow. For this volatility reason and because of electric and internet bills, the idea of making $7000 in passive income in a month is not even a reality. If you could receive one Bitcoin per month via mining (hint: you can’t), you might clear $7000 (assuming one Bitcoin is worth $7000 when you go to convert). Chances are, you’re likely to get far, far less than one Bitcoin per month. More likely, you’ll get maybe 1/10th (or less) of a Bitcoin in a month’s worth of computing … barely enough to cover the cost of your electric bill… assuming you immediately cash out of your Bitcoin and use that money to pay your bills.

Insurance and Fraud

The US government insures bank and savings accounts from loss via the FDIC (Federal Deposit Insurance Corporation). No such governmental insurance programs cover Bitcoin (or any other cryptocurrency). Until or unless the US government issues its own digital currency and extends similar protections of the FDIC to banks storing those digital currencies, today’s decentralized cryptocurrencies are simply the “Wild West” of currency.

What “Wild West” means is that anyone who owns cryptocurrency is at risk of loss no matter what means is used to store your Bitcoin. Your coins are as secure as the weakest link… and the weakest link (among many) appears to be the wallet.

Cryptography and Security

Many crypto “banks” (though I hesitate to even call them a bank) claim high levels of security over your Bitcoin wallet. Unfortunately, your wallet is always at risk no matter where you store it. If it’s on a self-contained card on your person, that can be hacked. If it’s at a currency exchange service, like Coinbase, it can still be hacked (in a number of ways).

The problem with crypto “anything” is that (and this is the key bit of information that everyone needs to take away from cryptography) is that cryptography was designed and intended to offer transient “short term” security.

What I mean by “short term” is that it was designed to secure data for only as long as a transaction requires (usually a few seconds). An example is using an app on your phone to perform a transaction with your bank. Your logged-in session might last 5-10 minutes at most. Even then, a single communication might last only a few seconds. Cryptography is designed to protect your short burst transmissions. It would take a hacker well longer than that short transmission period to hack the security of your connection. By the time a hacker had gained access, your transaction is long over and you’re gone. There’s no way they could change or alter what you’re asking your bank to do (unless, of course, your device is compromised… a completely separate problem).

Bitcoin, on the other hand, is required to be secured in a wallet for months, years or potentially even decades. Cryptography is not designed for that duration of storage and protection. In fact, cryptographic algorithms become weaker every single day. As computers and phones and devices get faster and can compute more data, these algorithms lose their protections slowly. It’s like when rains erode soil on a mountain. Inevitably, with enough soil eroded, you’ll have a landslide.

With crypto, eventually the computers will become fast enough so as to be able to decrypt Bitcoin’s security in a matter of weeks, then days, then hours, then minutes and finally in real-time. Once computers are fast enough to hack through a wallet’s security in real-time, nothing can protect Bitcoin.

This is the vulnerability of Bitcoin and other cryptocurrencies. Once computers hit the threshold to instantly decrypt Bitcoin’s security (or, more likely, Bitcoin’s wallet security), then Bitcoin is all over. You can’t store something when computers can gain unauthorized access in a few minutes. This law of diminishing cryptography returns is the security fallacy of Bitcoin.

Of course, Bitcoin developers will say, “Well, we’ll upgrade the Bitcoin cryptography to last longer than the then-current processing power”. It is possible for developers to say and potentially do this. But, that could still leave YOUR wallet vulnerable. If your wallet happens to be stored in an older cryptographic format that is vulnerable, then what? You may not even know your wallet is being stored in this vulnerable way if it’s stored at an exchange like Coinbase. That could leave yours and many other’s wallets hanging out to dry. Unless the currency exchange shows you exactly the format your wallet is being stored in and exactly the strength of cryptography being used, your wallet could very well be vulnerable.

Note that even the strongest encryption available today could still contain vulnerabilities that allow it to be decrypted unintentionally.

Bitcoin Uses

Probably the only single use of Bitcoin is as part of a balanced portfolio of assets. Diversifying your portfolio among different investment strategies is the only real way to ensure your portfolio will continue to grow at a reasonable rate. This is probably one of the only reasons to legitimately invest in Bitcoin. However, you don’t need to outlay for a mining rig to do it. Some investment firms today now allow for investment into cryptocurrencies as part of its investment portfolio offerings.

Still, you’ll have to be careful with investing in cryptocurrencies because there can be hidden transaction fees and conversion fees involved. These are called “loads” in the investing world. This means that you might invest $50, but only receive $40 in Bitcoin. That $10 lost represents the “load”. If you sell out of Bitcoin, you may also receive yet another “load” and again lose some of your money in the exchange. You have to take into account these “loads” when you choose to invest in certain funds. “Load” funds are not limited to Bitcoin. These exist when investing in all sorts of funds including mutual funds and ETFs.

However, Bitcoin (and other cryptocurrencies) can be valuable as part of a balanced portfolio. Of course, Bitcoin would be considered a Risky type of investment because of its volatility. Depending on how your portfolio is balanced, you may not want to invest in something as risky as Bitcoin. Not all portfolio management companies (i.e., Schwab, E*Trade, Ameritrade, etc) may offer cryptocurrency as an investment strategy. You’ll need to check with your specific company to determine if Bitcoin is available.

End of Bitcoin

Because Bitcoin is finite in total numbers of coins, eventually computing the general ledger will no longer pay dividends. What I mean is, once the Bitcoins run out, there will be no way to pay the miners. Bitcoin currently pays miners from the remaining ever diminishing pool of Bitcoin. Once there’s no more Bitcoins in the pool, there’s no more payments to the miners. This means that Bitcoin is dead. No one is going to continue to spend their expensive electric and internet bills on computing a general ledger that offers no dividends. No general ledger computations, no transactions.

This means that eventually, miners will stop mining. Once a critical mass of general ledger computation stops, computing Bitcoin transactions may become impossible. This will be the death of Bitcoin (and any other cryptocurrencies that adopt the same mining payment model). You can’t spend a Bitcoin as liquid currency if there’s no way to validate a transaction.

Some people think that it might require Bitcoin to completely hit zero, but it doesn’t. Once the remaining pool gets small enough, the algorithm gives out ever smaller amounts of payment in return for computing. At some point, spending thousands of dollars on a rig to gain a few pennies worth of Bitcoin every month won’t be worth it. Miners will shut off their mining activities. As more and more miners realize the futility of their mining efforts, fewer and fewer will mine.

When a compute (or lack thereof) critical mass is reached, Bitcoin will be in a crisis. This is the point at which the value of Bitcoin will plummet, taking with it many “paper Bitcoin millionaires”.

If you own Bitcoin, you need to watch and listen carefully to this part of the Bitcoin world. In fact, we are likely already on the downward slope of the bell curve for Bitcoin computing. How far down the bell curve is unknown. Unfortunately, as with most investment products, many people hold on far too long and get wiped out. It’s best to sell out while you know the currency holds value. Don’t wait and hold thinking it will infinitely go up. It won’t.

Eventually, Bitcoin will die because of its finite number of coins and its heavy reliance on “mining”… which “mining” relies on offering dividends. When the dividends stop being of value, so will end the mining and, by extension, so Bitcoin will end.

↩︎

 

Tagged with: , , , , , , , , , , , ,

leave a comment

Rant Time: Bloomberg and Hacked Servers

Posted in best practices, botch, data security, reporting by commorancy on October 5, 2018

Bloomberg has just released a story claiming SuperMicro motherboards destined for large corporations may have been hacked with a tiny “spy” chip. Let’s explore.

Bloomberg’s Claims

Supposedly the reporters for Bloomberg have been working on this story for months. Here’s a situation where Bloomberg’s reporters have just enough information in hand to be dangerous. Let’s understand how this tiny chip might or might not be able to do what Bloomberg’s alarmist view claims. Thanks Bloomberg for killing the stock market today with your alarmist reporting.

Data Compromise

If all of these alleged servers have been compromised by a Chinese hardware hack, someone would have noticed data streaming out of their server to Chinese IP addresses, or at least some consistent address. Security scans of network equipment require looking through inbound and outbound data logs for data patterns. If these motherboards had been compromised, the only way for the Chinese to have gotten that data back is through the network. This means data passing through network cards, switches and routers before ever hitting the Internet.

Even if such a tiny chip were embedded in the system, many internal only servers have no direct Internet access. This means that if these servers are used solely for internal purposes, they couldn’t have transmitted their data back to China. The firewalls would prevent that.

For servers that may have had direct access to the Internet, these servers could have sent payloads, but eventually these patterns would have been detected by systems administrators, network administrators and security administrators in performing standard security checks. It might take a while to find the hacks, but they would be found just strictly because of odd outbound data being sent to locations that don’t make sense.

Bloomberg’s Fantasy

While it is definitely not out of the realm of possibility that China could tamper with and deliver compromised PCB goods to the US, it’s doubtful that this took place in the numbers that Bloomberg has reported.

Worse, Bloomberg makes the claim that this so-called hacked hardware was earmarked for specific large companies. I don’t even see how that’s possible. How would a Chinese factory know the end destination of any specific SuperMicro motherboard? As far as I know, most cloud providers like AWS and Google buy fully assembled equipment, not loose motherboards. How could SuperMicro board builders possibly know it’s going to end up in a server at AWS or Google or Apple? If SuperMicro’s motherboard products have been hacked, they would be hacked randomly and everywhere, not just at AWS or Google or whatever fantasy Bloomberg dreams up.

The Dangers of Outsourcing

As China’s technical design skills grow, so will the plausibility of receiving hacked goods from that region. Everyone takes a risk ordering any electronics from China. China has no scruples about any other country than China. China protects China, but couldn’t give a crap about any other country outside of China. This is a dangerous situation for China. Building electronics for the world requires a level of trust that must exist or China won’t get the business.

Assuming this alleged “spy chip” is genuinely found on SuperMicro motherboards, then that throws a huge damper on buying motherboards and other PCBs made in China. China’s trust level is gone. If Chinese companies are truly willing to compromise equipment at that level, they’re willing to compromise any hardware built in China including cell phones, laptops and tablets.

This means that any company considering manufacturing their main logic boards in China might want to think twice. The consequences here are as serious as it can get for China. China has seen a huge resurgence of inbound money flow into China. If Bloomberg’s notion is true, this situation severely undermines China’s ability to continue at this prosperity level.

What this means ultimately is that these tiny chips could easily be attached to the main board of an iPhone or Android phone or any mobile device. These mobile devices can easily phone home with data from mobile devices. While the SuperMicro motherboard problem might or might not be real, adding such a circuit to a phone is much more undetectable and likely to provide a wealth more data than placing it onto servers behind corporate firewalls.

Rebuttal to Bloomberg

Statements like from this next reporter is why no one should take these media outlets seriously. Let’s listen. Bloomberg’s Jordan Robertson states, “Hardware hacking is the most effective type of hacking an organization can engineer… There are no security systems that can detect that kind of manipulation.” Wrong. There are several security systems that look for unusual data patterns including most intrusion detection systems. Let’s step back for a moment.

If the point in the hardware hacking is to corrupt data, then yes, it would be hard to detect that. You’d just assume the hardware is defective and replace it. However, if the point to the hardware hack is to phone data home, then that is easily detected via various security systems and is easily blocked by firewalls.

The assumption that Jordon is making is that we’re still in the 90s with minimal security. We are no longer in the 90s. Most large organizations today have very tight security around servers. Depending on the role of the server, it might or might not have direct trusted access to secured data. That server might have to ask an internal trusted server to get the data it needs.

For detection purposes, if the server is to be used as a web server, then the majority of the data should have a 1:1 relationship. Basically, one request inbound, some amount of data sent outbound from that request. Data originating from the server without an inbound request would be suspect and could be detected. For legitimate requests, you can see these 1:1 relationships in the logs and when watching the server traffic on a intrusion detection system. For one-sided transactions sending data outbound from the server, the IDS would easily see it and could block it. If you don’t think that most large organizations don’t have an IDS even simply in watch mode, you are mistaken.

If packets of data originate from the server without any prompting, that would eventually be noticed by a dedicated security team performing regular log monitoring and regular server security scans. The security team might not be able to pinpoint the reason (i.e. a hardware hack) for unprompted outbound data, but they will be able to see it.

I have no idea how smart such tiny chip could actually be. Such a tiny chip likely would not have enough memory to store any gathered payload data. Instead, it would have to store that payload either on the operating systems disks or in RAM. If the server was cut off from the Internet as most internal servers are, that disk or RAM would eventually fill its data stores up without transfer of that data to wherever it needed to go. Again, systems administrators would notice the spike in usage of /tmp or RAM due to the chip’s inability to send its payload.

If the hacking chip simply gives remote control access to the server without delivering data at all, then that would also be detected by an IDS system. Anyone attempting to access a port that is not open will be blocked. If the chip makes an outbound connection to a server in China and leaves it open would eventually be detected. Again, a dedicated security team would see the unusual data traffic from/to the server and investigate.

If the hacking chip wants to run code, it would need to compiled it first. That implies having a compiler in that tiny chip. Doubtful. If the system builder installs a compiler, the spy chip might be able to leverage it, assuming it has any level of knowledge about the current operating system installed. That means that chip would have to know about many different versions of Linux, BSD, MacOS X, Windows and so on, then have code ready to deploy for each of these systems. Unlikely.

Standards and Protocols

Bloomberg seems to think there’s some mystery box here that allows China to have access to these servers without bounds. The point to having multi-layer security is to prevent such access. Even if the motherboards were compromised, most of these servers would end up behind multiple firewalls in combination with continuous monitoring for security. Even more than this, many companies segregate servers by type. Servers performing services that need a high degree of security have very limited ability to do anything but their one task. Even getting into these servers can be challenge even for administrators.

For web servers in a DMZ which are open to the world, capturing data here might be easier. However, even if the hacker at SuperMicro did know which company placed an order for motherboards, they wouldn’t know how those servers would ultimately be deployed and used. This means that these chips could be placed into server roles behind enough security to render their ability to spy as worthless.

It’s clear, these reporters are journalists through and through. They really have no skill at being a systems administrator, network engineer or security administrator. Perhaps it’s now time to hire technical consultants at Bloomberg who can help you guide your articles when they involve technical matters? It’s clear, there was no guidance by any technical person who could steer Jordan away from some of the ludicrous statements he’s made.

Bloomberg, hire a technical consultant the next time you chase one of these “security” stories or give it up. At this point, I’m considering Bloomberg to be nothing more a troll looking for views.

If you enjoy reading Randocity, please like, subscribe and leave a comment below.

↩︎

 

Tagged with: , , , , , , , ,

leave a comment

How to protect yourself from the Equifax breach

Posted in botch, business, security by commorancy on September 11, 2017

Every once in a while, I decide to venture into the personal financial security territory. This time, it’s for good reason. Unfortunately, here’s a topic that is fraught with peril all along the way. It also doesn’t help when financial linchpins in the industry lose incredibly sensitive data, and by extension, credibility. Let’s explore.

Target, Home Depot and Retailer Breaches

In the last few years, we’ve seen a number of data breaches including the likes of Target and Home Depot. While these breaches are severe problems for the companies, they’re less problematic for the consumer in terms of what to do. As a consumer, you have built-in protections against credit card fraud. If a thief absconds with your number, your liability is usually limited to around $50, but that also depends on the card… so read your fine print.

With the $50 you might have to pay, the inconvenience to you is asking your credit card company to issue you a new card number. This request will immediately invalidate your current card number and then you have to play the snail mail waiting game for a new card to arrive. That’s pretty much the extent of the damage with retailer like Target or Home Depot.

No one wants to go through this, but it’s at least manageable in time… and you can get back on with your life. For breaches like Equifax, this is a whole different ball game, let’s even say, a game changer. Breaching Equifax is so much more than a simple credit card inconvenience.

Credit Reporting Agencies and Breaches

With Equifax breached, this is really where the government needs to step in with some oversight and regulations. What your social security number is the the government, your credit reporting file is to your personal financial health. This breach is a dangerous game… and worse, Equifax is basically taking it lightly, like it’s no big deal. This is such a big deal, you will absolutely need to take steps to make sure your data is secure (and even then, that only goes so far).

First, I’ll discuss what this breach means to you and how it might affect you. Second, I’ll discuss what you can do to protect yourself. Let’s start with some basic information.

There are 3 primary credit reporting agencies (aka credit bureaus):

  1. TransUnion
  2. Experian
  3. Equifax

Unless you’ve never had a credit card, you probably understand what these businesses do. I’ll explain for the uninitiated. These agencies collect and report on any outstanding credit card or revolving lines of credit you currently have. If you have a mortgage, these entities know about it. If you have a credit card (or many), they know. They also know lots of other data (i.e., previous and current address), what loans you’ve had in the past, what bank accounts you have, what balances are on your outstanding lines of credit, any collections activities and the list goes on and on. It also lists your birth date, social security number and full credit card numbers and account numbers.

Based on all of your credit lines, how well you pay and so on, these companies create a FICO credit score. This score determines how low of interest rates you’ll receive on new loans. These companies are not only a bane to actually exist, but they are your lifeline if you need new credit. Even just one blemish on your record can prevent you from getting that loan you need to buy your new house or new car. Without these linchpin companies, lenders wouldn’t be able to determine if you are a good or bad credit risk. Unfortunately, with these companies, consumers are at the mercy of these companies to produce accurate data to lenders (and to protect that data from theft)… a task that Equifax failed to do.

What did Equifax lose?

Equifax lost data for 143 million record holders. While that number may seem small, the damage done to each of those 143 million record holders will eclipse the damage produced by Target and Home Depot combined. Why? Because of how these credit reporting agencies actually work.

Equifax (and pretty much all of these credit reporting agencies) have flown under the radar in what they do. If you go to a car dealer, find a car you want and fill out loan paperwork, that dealership will pull a credit report from one or more of these agencies. Your credit report will contain a score and all loans currently outstanding. It also shows how well you pay your loans, any delinquencies in the past and other financial standing metrics. This credit report will be the basis of whether you get a loan from the car dealership and what what interest rate.

Hackers had access to this data between May and July of 2017. The hack was found on July 29th, but not reported to the public until September 8th. That’s over a month that Equifax sat on this news. It’s possible that they were requested by law enforcement to hold the announcement, we just don’t really know.

What was lost?

According to the Washington Post:

Hackers had access to Social Security numbers, birth dates, addresses, driver’s license numbers, credit card numbers and other information.

According to the New York Times:

In addition to the other material, hackers were also able to retrieve names, birth dates and addresses. Credit card numbers for 209,000 consumers were stolen, while documents with personal information used in disputes for 182,000 people were also taken.

Those dispute documents being PDFs of bills, receipts and other personally identifying information. I’ve also read, but have been unable to find the corresponding article, that the hackers may not have had access directly to the credit report database itself, but only to loose documents in a specific location. However, even with that said, do you really trust Equifax at this point? I certainly don’t.

Why is this such a big deal?

Because the credit reporting agencies have played it fast and loose for far too long. They make boat loads of money off of each credit report that’s pulled. If you pay $50 as part of the loan process to pull your credit report, the dealership will keep part of that money and the rest goes to Equifax. Because many loans applications are processed every day, some credit reporting agency is making money. Making money isn’t the problem, though.

These agencies will pull a report for anyone willing to spend money. This includes people with stolen credit cards. However, that only gets thieves so far before being caught. Instead, breaking into computers at the agency allows them to not only pull credit reports for anyone who has a record, they can get access to lots of sensitive information like:

  • Social Security Numbers
  • Birth Dates
  • Addresses
  • Places of employment
  • Home Addresses
  • Credit card numbers
  • Dispute Documents
  • Etc..

Basically, the thieves may now have access to everything that makes up your identity and could steal your identity and then attempt to divert bills away from your house, create new cards, and do other things that you may not be able to see. If they managed to get access to your credit report, they can open cards out the wazoo. They can charge crap up on those cards. And, they can perform all of this without your knowledge.

Credit Monitoring

You might be thinking, I’ll set up a credit monitoring service and have the credit reporting service report when activity happens. Even that, while only somewhat effective is still subject to being breached. If the thieves have access to all of your identity information, they can request the credit reporting service to do things like, reissue passwords to a new email address and send sensitive reports to a bogus address. These thieves can even undo security setups like a credit freeze and reassign all of that information to their own address. You won’t see or even know about this unless you regularly check your credit reports.

This problem just barely peeks into the can of worms and doesn’t even open it fully. There are so many things the thieves can do with your identity, that by the time you figure it out, it could be far, far too late. So, don’t think that signing up for credit monitoring is enough.

Sloppy Security Seconds

In fact, it wasn’t seconds, it was almost 2 months before the breach was known to the public. A move that not only shows complete disregard for 143 million people’s financial security from a company who should be known for it, Equifax doubled down by creating a lead generation tool in their (ahem) free TrustID tool. Keep in mind that that TrustID tool is only (ahem) free for one year, after that you pay. Though, protecting against new account creation is only half the problem. The other half to which TrustID can’t help is protecting your existing accounts. Because credit reports contain every account and every account number you own, if your data was compromised (and with 143 million accounts worth of data lost, it’s very possible), you need to do so much more.

Even the Security Checking Tool (which was questionably put up on a brand new created domain???) seems to have been a sham and had its own share of SSL certificate problems leading to some browsers showing the site as a scam. Some Twitter users have entered bogus data… and, this checking tool seems to have stated this bogus data was included in the breach. The question is, does that tool even work or is it merely security theater? Yet another black eye in among many for Equifax’s handling of this data breach. To wit…

and then this tweet…

To sign up for Equifax’s TrustID premium service, you have to enter even more personally identifying data into a form of a company that has clearly demonstrated they cannot be trusted with your data. Why would anyone do this? Seriously, signing up for a service with a company who just lost a bunch of information? No, I think not. Instead, Equifax should be required to pay victims for a monitoring service with either TransUnion or Experian (where breaches have not occurred.. yet).

On top of entering even more personal information, the service requires you waive your right to lawsuits against Equifax and, instead, requires binding arbitration. Yet another reason not to sign up.

It’s not as if their credit monitoring service is really going to do you a whole lot of good here. If you really do want a credit monitoring service, I’d suggest setting it up with Experian or TransUnion instead. Then, figure out a way to get Equifax to pay you back for that service.

Can’t I reissue credit card numbers?

While you can do this, it won’t protect you fully. The level of what the thieves can potentially do with your data from Equifax goes much deeper than that. Yes, changing the numbers will help protect your existing cards from access. However, it won’t stop thieves from opening up new accounts in your name (and this is one of the biggest problems). This is why you also need to set up a credit freeze.

Because the thieves can now officially pretend to be you, they can do such things as:

  • Pretend to be you on the phone
  • Call in and request new pin codes based on key identifying information (address, SS#, phone number, etc)
  • With your old address, they can then transfer your bills to a new address
  • They can reissue credit card numbers to that new address

You’re probably thinking, “What about the security measure my bank uses? Won’t that protect me?” That depends entirely upon how convincing the thief can be over the phone. If they can answer all of your identity information and find a representative who can bypass some of the banks security steps, they can get a foot into the door. That’s all it takes for them to basically take over your credit accounts… which is one step away from potentially hijacking your bank accounts. A foot in the door is enough in many institutions to get the ball rolling towards full hijacking.

How do I protect myself?

If your data was involved in the breach (unfortunately, the tool that Equifax provides is sketchy at best), the three bare minimum things you should do are

  1. Contact one of the three credit bureaus and ask for a free 90 day fraud watch
  2. Contact all three and ask for a credit freeze on your records at each credit reporting agency
  3. Set up credit monitoring at TransUnion or Experian

The 90 day fraud watch means they will need to let you know when someone tries to do anything with your credit report. However, this watch is only good for 90 days and then expires. The good thing about requesting this watch is that you only have to do it at one bureau. All three will receive this watch request from your contact with one of them. The bad thing is, 90 days is not nearly long enough to monitor your credit. In fact, the thieves will expect the 90 day fraud watches, wait them out, then go after it hard and heavy after these begin expiring.

A freeze, on the other hand, lasts until you unfreeze. A freeze puts a pin code on your credit record and that pin is require each time a company needs to pull a copy of your credit report. This will last far, far longer than a 90 day watch and serves to stop the thieves in their tracks. To freeze your records, you will need to contact all three separately and perhaps pay a fee of $5-10 depending on where you live.

Setting up credit monitoring means you can be alerted to whenever anything changes on your credit report. But, credit monitoring won’t stop the changes from occurring. Meaning, you’ll be alerted if a new card is opened, but the monitoring service isn’t a preventative measure.

You can contact each bureau as follows to set up any of the above services, including a credit freeze (links below):

  1. Equifax or call 1-800-349-9960
  2. TransUnion or call 1-888-909-8872
  3. Experian or call 1‑888‑397‑3742

Neither a fraud watch nor a credit freeze will impact your credit score. A freeze simply prevents any business from pulling your credit report without having your pin code. Companies for which you already do financial business or have loans established can still pull reports as needed. However, any new loans will be required to have your security pin code.  You can learn all about the details of a credit freeze at this FTC.gov web site.

Unfortunately, because the breach may have been more extensive than it appears, a thief can now contact the credit bureaus over the phone, pretend to be you and have any pin codes removed and/or reissued. Then, gain control over your credit records. This is why this breach is so treacherous for consumers. You need to be on your guard, vigilant and manually monitor your credit report for at least the next 12 months regularly. This is the part no big box media site is reporting. Yes, this is a very treacherous landslide indeed that is at work. Even if you do all of the protections I mention above, thieves can still subvert your financial records for personal gain by knowing your key personally identifying information.

How do I stop the thieves?

This is the fundamental problem. You can’t, at least not easily. To truly protect yourself, the scope of changes would include all of the following:

  1. Get a new social security number
  2. Reissue all of your credit card and debit card numbers
  3. Open new bank accounts, transfer your money into the new accounts
  4. Close the old bank accounts
  5. Reissue new checks
  6. Change your telephone number
  7. Move into a new address (or obtain a P.O. Box and send your bills there)
  8. Legally change your name
  9. Change all of your passwords
  10. Change all of your email addresses
  11. Set up multifactor authentication to every financial app / site you log into that supports this feature.

Unfortunately, even doing all of the above would still mean the credit bureaus will update your credit report with all of this new data, but your prior history would remain on the report… possibly up to and including all of the old account, name and address information. It is very, very difficult to expunge anything from a credit report.

In addition to the above, I’d also suggest closing any credit lines you don’t regularly use. If it’s not there, it can’t be exploited. None of this is a magic bullet. You just have to wait it and shut the thieves down as things materialize. Being diligent in watching your credit report is the only way to ensure you nip things in the bud early.

Tidal Waves and Repercussions

It is yet unknown the extent of their breach or the extent to which each consumer may have to go to protect themselves from this deep gash in the financial industry. Not only does this gash now undermine each account holder’s personal financial well being, it undermines the credibility of the very industry holding up the world’s economy. This is some serious shit here.

If half of the US’s residents are now available to identity thieves, those organizations who help protect the small amounts of identity theft throughout a normal year cannot possibly withstand a financial tidal wave of identity theft paybacks which could seriously bankrupt many credit organizations. In fact, if this tidal wave is as big as I suspect it could become, we’re in for some seriously rough financial waters over the next 6-12 months. By the time the holidays roll around, it could be so bad, consumers cannot even buy the goods needed to support the holiday season. Meaning, this could become such a disruptive event in the US’s financial history, many businesses could tank as a side outcome of consumers not being able to properly spend money during the most critical season of the year.

This has the potential to become one of the most catastrophic financial events in US history. It could potentially become even more disruptive than the 1939 stock market crash. Yes, it has that much potential.

Since I have no reason to believe that Equifax has been totally honest about how much data has actually been lost, this is the reason for this level of alarm. I’d be totally happy if the amount of data lost was limited to what they have stated, but the reality is, nothing is ever as it seems. There’s always something deeper going on and we won’t find that out for months… possibly at the point where the economy is hit hard.

Equifax Aftermath

Because the US is so pro-business, Equifax will likely get a slap on the wrist and a warning. Instead, this company should be required to close its doors. If it is not providing adequate data security measures to protect its systems, then it needs to shut its doors and let other more capable folks handle this business. This sector is far too critical of a service and that data too risky if lost to allow flippant companies like Equifax to continue to exist in that market.

Tagged with: , , , ,

leave a comment

Rant Time: Don’t ever wipe your network settings in iOS

Posted in Apple, best practices, botch by commorancy on July 15, 2017

I’ve been recently trying to solve a problem with T-Mobile which ended up a bust because of the absolute sheer uselessness of T-Mobile staff about the iPhone and Apple Watch features. I will write a separate rant about that entire disaster, but let me lead with this rant that’s a little more critical. Let’s explore.

Apple’s iCloud

What is this thing? It’s a way to store settings and various data in Apple’s network cloud storage. This seems like a great idea until you realize what Apple keeps ganging up into this storage area. Then, you might actually think twice about using this feature.

While you might realize that Apple iCloud service will backup your photos and other data stored on your iPhone, it also stores other things you might not realize, like your WiFi network passwords, your Safari logins and passwords and various other sensitive data. What that means is that if Apple’s iCloud is ever compromised, your passwords could be completely captured by a hacker. Depending on whether Apple has stored this data encrypted strongly or not (probably not), you may end up having to change every password you have ever typed and stored on your iPhone.

Now, while that is a security problem, that’s not the problem that this article is intended to address. Let’s continue.

Apple Geniuses Are Anything But

I was recently talking to an AppleCare staffer who, when trying to solve my T-Mobile problem, requested that I wipe my network settings on my iPhone. I explicitly asked this staffer if it would also wipe my iCloud passwords. She, of anyone on this planet, should have known the answer to this question working for Apple. Unfortunately, I have very quickly learned that Apple is now hiring the lowest grunts of the grunts who simply don’t give a shit nor do they even understand the technology they are hawking. Apple, train your staff. Which leads to …

Never, Ever EVER wipe your network settings on any iOS iCloud device

No matter how much anyone begs or pleads you to do this, tell them, “NO”. And, if anyone ever tries to do this to one of your devices sharing a single iCloud login, you need to grab the device back from them PRONTO and stop them.

The answer to my question I asked Apple is that wiping network settings on your phone does, in fact, indeed wipe all of your network settings in iCloud! Why is this important? If you have multiple devices sharing your iCloud ID and settings, after wiping a single device, all of your WiFi passwords are also wiped for ALL other iCloud devices. This means that every single iCloud device suddenly and explicitly drops its WiFi connection.

This also means you will need to go back to each device and manually re-type your WiFi password into each and every device. This is the only way for the device to log back into iCloud and relearn all of its knowledge of all newly recreated settings.

This is an absolute PAIN IN THE ASS, Apple! So, if anyone ever asks you to wipe your network settings on your iPhone or iPad participating in iCloud, don’t do it! Note that even signing out of iCloud and wiping may cause the same problem once you log it back in. So, I wouldn’t even try this knowing Apple’s crappy network designs. Simply tell the person asking, “Not only no, but hell no” and have them figure out another way to resolve whatever the problem is.

So, there you have it.

Tagged with: , , , , ,

leave a comment

Pulse Club Shooting and Reopening

Posted in botch, business, entertainment by commorancy on June 18, 2016

As we all know by now (and if you haven’t, you’re probably living under a rock), the Pulse Club was a primarily gay dance night spot located in Orlando, Florida. Unfortunately, as a deadly shooting unfolded, it has now become the unwitting site of the worst mass shooting in the US so far. Should it reopen? Let’s explore.

Shooting Aftermath

After that 3 hour massacre ended in the death of the shooter, this situation now leaves more questions than answers, especially for the victim’s families and those who were injured. In fact, my heart goes out to each and every one of the victim’s families. Those people who had gathered at that club that night arrived to have fun, drink and dance. Many had done so on many previous nights. Nothing wrong in that.

Unfortunately, the shooter had other plans. He entered this night club with the intent of taking lives. After 3 hours of standoff with law enforcement, the situation ended with the death of the shooter, but not before 49 people were dead and 53 others were injured and sent to hospitals. Let’s not forget about those who were not injured, but who were there witnessing this horrific event unfold. These victims may not have physical injuries, but they now have emotional injuries that may take decades and therapy to resolve. Survivor’s guilt is a real thing. A horrible situation for any business owner to contemplate.

Club Reopening?

The manager of the club, Barbara Poma, is trying to salvage this situation with her business and has vowed to reopen this night club. Unfortunately, the Pulse Club has now become a victim in its own right with a massive stigma attached: the massacre and all of those brutal deaths. This situation never spells a good end to any business. Barbara, if you are in fact reading this, I’d strongly suggest not reopening this club at that location. However, before considering reopening, you should most definitely wait (see below). There are a number of reasons why it shouldn’t reopen in its current form:

  1. Macabre thrill seeker tourists. Your club has now (and will for a very long time) become an unwitting tourist destination for those seeking a brush with the macabre. Yes, your club will now have people seeking to stop by and talk about the massacre, the deaths, the victims with anyone who will talk about it including to your customers, your staff and you. This will eventually become distracting and annoying to your customers who are there just to party. It will drive your existing customer base away. This will not be forgotten quickly or easily.
  2. Ghost hunters. Because of the 49 deaths in your club, inevitably someone will claim they have seen or heard the ghost of one of those who died on your premise. I’m not here to argue the merit of that type of claim, but I will state that your club will become a destination for ghost hunters looking for ghosts. Again, this will be to the distraction of your paying visitors simply there to have a good time. It will also become a distraction for your bartenders and other staff. This will also drive your existing customer base away.
  3. Regulars will shy away. For those who were regulars to your club and who were there that night, they won’t be back. Your club is forever tainted as that club that had a mass shooting and now holds that stigma high and wide like a badge of honor, except there’s no honor in that. For anyone who was there that night, the memory is just too painful and few will be back to avoid reliving that memory, especially those who were trapped in there for hours.
  4. Tainted by death. The Pulse Club brand has now become the unwitting poster child for mass shootings. What I’m about to write may seem a little crass, but you might as well re-theme your club to have heart monitors, hospital beds, and nurses running around if you want to move forward with this name. This is what people will forever link to this club’s name. People will not remember it for the fun party spot. It will now be remembered for the deaths and those living victims still in the hospital. If you don’t have any intent on capitalizing on this notoriety, you should change the name and move the club to another location.
  5. Because of at least number 4, you may find that your original customer type no longer visits your club. You may find that types 1-4 make up the vast majority of those who visit your club. They are not there to have a good time, they are there to take pictures, vlog, gawk, talk to your staff and generally be a nuisance to your club. It might even lead to confrontations that you and your staff might not want to deal with. You can never know the intent of a single person requesting access into your club.

What this basically says is if you reopen the club, your clientele will drastically shift from that happy-go-lucky dance place that it once was to that-place-that-had-a-mass-shooting. The above are not necessarily the reasons you want people at your club. The Pulse Club can never live its now-infamous past down. Even if you change the name of the club, paint it, redecorate it and refurnish it from top to bottom, that location won’t ever forget what happened.

Rebuilding the Pulse Club

The only way the Pulse Club can ever live again is by moving it to an entirely new location somewhere else in the city and rebranding it. You must abandon that building and let it become someone else’s problem and stigma to solve. What happened there is something that stays with that building, not with your business. If you want to get your business back the way that it was, you cannot reopen in that location. You must move your business to a new building. This is the only way to free yourself from the thrill seekers, from the macabre, from the ghost hunters and from those just morbidly curious. These people are not the reason why you opened your club and these are not the reasons you should want to continue with your club.

These are distractions that only serve to taint your establishment, chase off would-be new customers and cause your staff daily grief throwing random lookie-loos out. You need to ask yourself the hard question, is this really the reason you opened the Pulse Club?

Before you contemplate reopening the club, you need to let the legal dust settle. And, settle it will, I can guarantee that. Before making plans of spending money to renovate your club, you should reserve those funds for the upcoming legal battles that are about to ensue… and sue they will.

Lawsuits and the Future of Pulse

We haven’t seen the last of what is in store for this club. Just you wait. Some of the victims will file wrongful death suits at someone, anyone, for negligence. Where to start? The club’s owner. It’s as good a place as any.

Was the Pulse Club negligent in what happened? Well clearly, if the club’s staff had been properly enforcing at least metal detection or a pat down at the door, the guns might not have gotten into the building. Unfortunately, it now appears that this club was not enforcing any safety best practices when allowing patrons into the establishment. This could very much appear as negligent actions by the club’s owner. And, there are 53 living injured who can file lawsuits against this club. There are an additional 49 families who can also file lawsuits against this club. There are additional people like employees and those who suffered severe mental anguish at the horrific events that night who can also file lawsuits.

Unless the Pulse Club owner has engaged in specialty insurance in high amounts to cover such occurrences (probably not), she may find the Pulse Club out of business and her personal finances spent covering each and every one of those yet-to-be-filed lawsuits. It’s way too early for this club’s owner to be thinking about reopening the night club when the legal battles have barely even begun.

Clearly Barbara, as the club’s owner, you should wait out the legal battles before making plans to reopen this club. You may find that you can’t actually afford to reopen the club after the legal dust settles.

Victims

If you are a victim of this shooting, you should contemplate all of your legal options and you should do so quickly with your lawyer. If you are intent on filing a lawsuit, you should do it as fast as possible. The first to the table are usually the first to walk away with settlements. If you are one of the last, you might get nothing.

Was this club negligent by allowing a shooter with a Sig Sauer MCX rifle (every bit as deadly as an AK-47, just quieter) into this club? Clearly, the Pulse had very little in the way of security due diligence at the door. Is that considered negligent? Only a court can decide.

Tagged with: , , , , , ,

leave a comment

Yahoo: When recycling is not a good idea

Posted in botch, business, california, Yahoo by commorancy on July 17, 2013

Yahoo JailAfter Marissa Mayer’s team recently decimated Flickr with its new gaudy and garish interface and completely alienated professional photographers in the process, her team is now aiming its sights on a new, but unnecessary, problem: recycling of long expired user IDs. Yahoo had been collecting user IDs for years. That is, people sign up and use the account for a while, then let the account lapse without use for longer than 30 days.  Yahoo marks the ID as ‘abandoned’ (or similar) and then locks it out forever, until now. Some employee at Yahoo offered up the incredibly bad idea to recycle IDs. Unfortunately, this decision to recycle IDs may actually become the demise of Yahoo. Let’s explore.

Recyclables

I’m guessing that Yahoo has decided to make it look like it’s doing something good by recycling something, anything. That is, Yahoo is now letting people Wishlist long-closed user IDs that had been previously locked. Hurry, though, you only have until Aug 7, 2013 to wishlist that long forgotten ID. The trouble is, these old abandoned IDs are clearly second-hand goods. Let’s understand what exactly that means and why you really don’t want one (unless, of course, it was previously yours).

1) Obviously… Spam

Clearly, you aren’t asking for this old ID so you can jump onto that horrendous new Flickr interface or because you intend to read Yahoo News or OMG. The most obvious reason to want that ‘primo’ ID is for the email address. Unfortunately, you have no idea how that account was formerly used or what baggage might be associated with it! So, unfortunately, you will have no idea what exactly you’re getting into by re-using someone’s old ID. The person might have signed up for it just to divert tons of spam into it. Yes, this happens. That means, you could open the account and find it filled with spam in only 5-10 minutes, literally. Who’s to say someone wasn’t using it for illegal purposes and it was shut down for that purpose?

Yeah yeah.. Yahoo claims they will ‘unsubscribe’ the old ID from newsletters and so forth and these will have been ‘idle’ for at least 12 months (the first batch), but they’ve outlined no way in which they plan to accomplish this unsubscribe piece. Are they really going to hire a bunch of people to sit around clicking unsubscribe links and filling out unsubscribe forms?  I think not. It’s all song and dance with no substance. Not to mention unsubscribing legitimate email subscriptions only accounts for about half (or less) of the total email volume that ends up in an inbox.  So, don’t expect any miracles from Yahoo. If they can stop email, the best they can stop is about 40-50% at most.  All of the rest will still show up merely by you having signed into your ‘new’ account.

A new email header?

Oh yeah, Yahoo is also trying to rush through the IETF RFC process a new header called require-recipient-valid-since that takes a date as an argument.  This header basically requires marketers to know the exact acquisition date of every email address in their lists. Assuming email marketers know this date, which is a huge and incorrect assumption for Yahoo to make, when the email marketers send email containing this date, the email will supposedly end up in the correct account (or not) depending on the date.  Because of this date header, that could lead real email to go missing or spam to show up. Unfortunately, as I said, this is an incorrect assumption. Most email marketers barely know the source of their leads, let alone when they acquired it. No, this date thing simply won’t work. And even then, this header will only work with email marketers willing to follow the rules. Spammers that don’t care won’t bother.

Worse, Yahoo is planning on handing out these newly freed old accounts in mid-August. Like every email marketing firm will simply drop whatever business plans they currently have to retool their applications to support this rushed and nearly useless header. Is Yahoo really that asleep at the switch?

2) Fraud, Account and/or Identity Theft

If you happened to have owned one of these long abandoned accounts or you otherwise lost your Yahoo account long ago, you’ll want to be very careful here. You can be guaranteed that there are already people scouting for popular long dead accounts to resurrect and phish for accounts, theft and identities. These thieves know that banks and other legacy institutions keep email addresses on file until you explicitly change them. Even then, they can have issues even updating this information in their systems even when you do request the change.  So, someone who obtains a long dead account and then browses to Wells Fargo or Bank of America’s web site to request a password reset, they could abscond with your account credentials and your money assuming you still have (or ever had) any old Yahoo accounts hooked up to any financial accounts.

Yahoo claims to have ‘security’ mechanisms planned, but good luck with relying on that. I can’t even see that working. Granted, if banks fill in ‘require-recipient-valid-since’ with the appropriate acquisition date in every email they send, the banks can help prevent this issue (assuming the header works as expected).  But, that also assumes the bank has an email address acquisition date to fill in this header. That also assumes that the bank can even roll out this header change in the time allotted before Yahoo starts doling these old IDs out. The clock is ticking and Yahoo hasn’t even gotten the RFC completed.

Fraud and identity theft is a very likely outcome of recycling old Yahoo accounts. If you’re reading this article and you have ever used a now-long-closed Yahoo ID for email, I urge you to go through all of your important accounts and make sure you have deleted all references to your old Yahoo email address immediately! Otherwise, some random person could come to own your old ID and can then cycle through sites requesting password resets just to find what sites your old ID may have used.  This is the number one security threat that Yahoo can’t easily get around or easily address. Note, that a hacker who obtains an old ID only needs to get access to one of your accounts that will email your real plaintext password back to them and then they’ll work their way up to your bigger accounts.  This is one of the biggest reasons this is an incredibly bad idea from Yahoo.

I’d also suggest that for any accounts you do have (i.e., Facebook, Gmail, etc), make sure to add alternative email addresses other than your Yahoo address for password resets and other security related emails. If you can, remove all your Yahoo addresses outright even if they are live.  Use Gmail or Windows Live Mail instead (at least until they decide to go down this stupid ID recycling road).

3) Yahoo Mistakes

Ooops.. we didn’t actually intend to give away your live account. Sorry, ’bout that.

And then you’re stuck without an account. Yahoo is not publishing what accounts are under consideration specifically.  They only say that these ‘dead accounts’ have been idle longer than 12 months in the first batch. Thereafter, any account that has been not accessed for 30 days is up for reissue consideration. There is nothing to say that Yahoo won’t make a mistake and re-issue a live and active account to some random person wbo signed up on the Wishlist. I can easily see this becoming one of the biggest blunders that Yahoo makes in this process. Unless the Yahoo staff is incredibly careful with this process, it would be super easy to accidentally give some random schmo access to an active live Yahoo account by mistake.  For this reason alone, I’d consider closing out all of my Yahoo accounts except for one thing. They would recycle my account string name in 12 months (0r 30 days) and I’d be right back here in this situation again worrying about what of my other accounts were tied to this email address.

Basically, I can’t close my Yahoo account because it’s too great of a security risk.  If I leave it open, I risk Yahoo accidentally giving it away in this stupid ‘wishlist’ process.  It’s really a no-win situation. After Flickr, I have less and less trust in Yahoo and this is now leaving every Yahoo user in the lurch.  This basically means you can NEVER EVER close your active Yahoo account if you want to keep your other accounts secure.

4) Missing Email

Even if you do manage to get your hands on one of these ‘prized’ IDs, Yahoo claims to be putting technical measures into place to prevent security issues.  That could very well mean that for recycled accounts your mail delivery will be spotty, if it even works. Meaning, Yahoo may so heavily scrutinize emails heading to these recycled IDs that legitimate mail may simply never show up that’s been marked as ‘a security risk’.  So, for emails like password resets to accounts, you may find that these emails simply never show up at all.  Basically, anything that Yahoo’s email system construes as a security risk could simply just go missing. This is the most likely outcome of this recycling. Note that this problem could end up extending to every Yahoo account which could make Yahoo Mail a very problematic place for any email purposes.

Excess Baggage?

If after reading the above, you are still considering an ‘old used account’, I really can’t understand why. Taking on someone else’s old email and Yahoo baggage isn’t something I’d want to deal with (are they going to be sure to clear off all old comments and Yahoo answers for this old ID?). So, someone pops up from years past not knowing that Yahoo ID has been reissued and then you get some old boyfriend email, or someone who hated the previous owner of that ID.  Then what? So, then you’ll be left with a mess to clean up. Why would you want to deal with this excess baggage when you can get a new account that’s never been issued and not have to deal with this problem at all? However, knowing that any account you create at Yahoo would be recycled later, how could you rely on it for any kind of security?  You can’t.  So, I might suggest Gmail or Windows Live Mail (or any other free email service not recycling IDs) instead of Yahoo.

Alternatives?

Unfortunately, I don’t see any other alternatives with Yahoo at this point.  This is an incredibly stupid decision from Yahoo. I have no idea what the folks at Yahoo are even thinking. It’s not like a telephone number. You give that up and no one thinks twice that someone could use that old phone number nefariously.  Unfortunately, nearly every site now uses email addresses to know if you ‘own’ your accounts. So, password resets, pin codes, and all manner of secure information traverses through email addresses.

One thing that Yahoo may inadvertently cause from this change is for Banks and other financial institutions to rethink how they validate a user’s identity. Clearly with this change, email addresses can no longer be trusted as secure or even know that it’s owned by only one person.  This throws security surrounding email addresses into complete turmoil for any site that uses email addresses as validation.

Based on the previous paragraph, sites may start preventing use of @yahoo.com email addresses for their services. Knowing that you could lose your Yahoo account and then have it turned over to someone else 30 days later could easily lead to site compromises. To simply avoid this situation entirely, sites that rely on security may simply stop letting @yahoo.com email addresses sign up for service. So, one of the biggest benefits of using Yahoo Mail will end. I’d expect a mass exodus to Gmail or Windows Live Mail after the dust settles here. In fact, this decision may kill Yahoo Mail as any kind of a real email service. Does Marissa have any idea what the hell she’s doing?  If I were on the Yahoo board, I’d be seriously considering right about now of ousting this one.

If I were in a position at Yahoo to make this decision, I would have killed this idea before I’d ever left the conference room. That Yahoo is even contemplating making this move at this time is completely questionable. Let’s just hope that when someone’s account is compromised and/or has identity theft as a direct result of this bad Yahoo decision, that someone will sue the pants off of Yahoo.  That will at least teach other ISPs that this is not, in any way, an acceptable practice.

Risky Business

This decision has disaster written all over it. This is also a huge liability risk for Yahoo. Yes, Yahoo may have written in their Terms and Conditions that they have the right to reissue account names.  But, since they hadn’t been doing this from the beginning and they’re now choosing to do this without proper preparations, this is a huge legal risk.  It only takes a handful of users who’s accounts get compromised or who’s identities get stolen as a result of Yahoo’s new policy that this will end in courtroom dates. I can’t even fathom what benefit Yahoo derives from reissuing old IDs, but I can definitely see huge legal liabilities and black clouds looming over this now floundering company. In fact, the liabilities so outweigh the potential benefits to Yahoo, I have to completely question the purpose of this decision.  Let’s hope Yahoo is all lawyered up as I can see the court dates piling up from this very very bad decision.

Tagged with: , ,

leave a comment

iPhone Risk: Your Employer and Personal Devices

Posted in best practices, cloud computing, computers, data security, Employment by commorancy on May 5, 2013

So, you go to work every day with your iPhone, Android phone or even an iPod. You bring it with you because you like having the convenience of people being able to reach you or because you listen to music. Let’s get started so you can understand your risks.

Employment Agreements

We all know these agreements. We typically sign one whenever we start a new job. Employers want to make sure that each employee remains responsible all during employment and some even require that employee to remain responsible even after leaving the company for a specified (or sometimes unspecified) period of time.  That is, these agreements make you, as an employee, personally responsible for not sharing things that shouldn’t be shared. Did you realize that many of these agreements extend to anything on your person and can include your iPhone, iPod, Android Phone, Blackberry or any other personal electronic device that you carry onto the property? Thus, the Employment Agreement may allow your employer to seize these devices to determine if they contain any data they shouldn’t contain.

You should always take the time to read these agreements carefully and thoroughly. If you don’t or can’t decipher the legalese, you should take it to an attorney and pay the fee for them to review it before signing it.  You might be signing away too many of your own personal rights including anything you may be carrying on your person.

Your Personal Phone versus Your Employer

We carry our personal devices to our offices each and every day without really thinking about the consequences. The danger, though, is that many employers now allow you to load up personal email on your own personal iDevices. Doing this can especially leave your device at risk of legal seizure or forfeiture under certain conditions.  So, always read Employment Agreements carefully. Better, if your employer requires you to be available remotely, they should supply you with all of the devices you need to support that remote access. If that support means you need to be available by phone or text messaging, then they should supply you with a device that supports these requirements.

Cheap Employers and Expensive Devices

As anyone who has bought an iPhone or an Android phone can attest, these devices are not cheap. Because many people are buying these for their own personal use, employers have become jaded by this and leech into this freebie and allow employees to use their own devices for corporate communication purposes. This is called a subsidy. You are paying your cell phone bill and giving part of that usage to your employer, unless your employer is reimbursing you part or all of your plan rate.  If you are paying your own bill without reimbursement, but using the device to connect to your company’s network or to corporate email, your device is likely at high risk should there be a legal need to investigate the company for any wrong doing. This could leave your device at risk of being pulled from your grasp, potentially forever.

If you let the company reimburse part or all of your phone bill, especially on a post-paid plan, the company could seize your phone on termination as company property.  The reason, post-paid plans pay for the cost of the phone as part of your bill. If the company reimburses more than 50% of the phone cost as part of your bill, they could legally own the phone at the end of your employment. If the company doesn’t reimburse your plan, your employer could still seize your device if you put corporate communication on your phone because it then contains company property.

What should I do?

If the company requires that you work remotely or have access to company communication after hours, they need to provide you with a device that supports this access. If they are unwilling to provide you with a device, you should decline to use your personal device for that purpose. At least, you should decline unless the employment agreement specifically states that they can’t seize your personal electronics. Although, most employers likely won’t put a provision in that explicitly forbids them from taking your device. Once you bring your device on the property, your employer can claim that your device contains company property and seize it anyway. Note that even leaving it in your car could be enough if the company WiFi reaches your car in its parking space.

Buy a dumb phone and use that at work. By this I mean, buy a phone that doesn’t support WiFi, doesn’t support a data plan, doesn’t support email, doesn’t support bluetooth and that doesn’t support any storage that can be removed. If your phone is a dumb phone, it cannot be claimed that it could contain any company file data.  If it doesn’t support WiFi, it can’t be listening in on company secrets.  This dumb phone basically requires your company to buy you a smart phone if they need you to have remote access to email and always on Internet. It also prevents them from leeching off your personal iPhone plan.

That doesn’t mean you can’t have an iPhone, but you should leave it at home during work days. Bring your dumb phone to work. People can still call and text you, but the phone cannot be used as a storage vehicle for company secrets (unless you start entering corporate contacts into the phone book). You should avoid entering any company contact information in your personal phone’s address book. Even this information could be construed as confidential data and could be enough to have even your dumb phone seized.

If they do decide to seize your dumb phone, you’ve only lost a small amount of money in the phone and it’s simple to replace the SIM card in most devices. So, you can probably pick up a replacement phone and get it working the same day for under $100 (many times under $30).

Request to Strike Language from the Employment Agreement

Reading through your Employment Agreement can make or break the deal of whether or not you decide to hire on. Some Employment Agreements are way overreaching in their goals. Depending on how the management reacts to your request to strike language from the Employment Agreement may tell you the kind of company you are considering. In some cases, I’ve personally had language struck from the agreement and replaced with an addendum to which we both agreed and signed. In another case, I walked away from the position because both the hiring and HR managers refused to alter the Employment Agreement containing overreaching language. Depending on how badly they want to fill the position, you may or may not have bargaining power here. However, if it’s important to you, you should always ask. If they decline to amend the agreement, then you have to decide whether or not the position is important enough to justify signing the Agreement with that language still in place.

But, I like my iPhone/iPad/iPod too much

Then, you take your chances with your employer. Only you can judge your employer for their intent (and by reading your employment agreement).  When it comes down to brass tacks, your employer will do what’s right for the company, not for you. The bigger the company gets, the more likely they are to take your phone and not care about you or the situation. If you work in a 1000+ employee company, your phone seizure risk greatly increases.  This is especially true if you work in any position where you have may access to extremely sensitive company data.

If you really like your device, then you should protect it by leaving it someplace away from the office (and not in your car parked on company property). This will ensure they cannot seize it from you when you’re on company property. However, it won’t stop them from visiting your home and confiscating it from you there.

On the other hand, unlike the dumb phone example above, if they size your iPhone, you’re looking at a $200-500 expense to replace the phone plus the SIM card and possibly other expenses. If you have synced your iPhone with your computer at home and data resides there, that could leave your home computer at risk of seizure, especially if the Federal Government is involved. Also, because iCloud now stores backups of your iDevices, they could petition the court to seize your Apple ID from Apple to gain access to your iDevice backups.

For company issued iPhones, create a brand new Apple ID using your company email address. Have your company issued phone create its backups in your company created Apple ID. If they seize this Apple ID, there is no loss to you. You should always, whenever possible create separate IDs for company issued devices and for your personal devices. Never overlap this personal and company login IDs matter how tempting it may be. This includes doing such things as linking in your personal Facebook, Google, LinkedIn, Yahoo or any other personal site accounts to your corporate issued iPhone or Apps. If you take any personal photographs using your company phone, you should make sure to get them off of the phone quickly.  Better, don’t take personal pictures with your company phone. If you must sync your iPhone with a computer, make sure it is only a company computer. Never sync your company issued iPhone or iPad with your personally owned computer. Only sync your device with a company issued computer.

Personal Device Liabilities

Even if during an investigation nothing is turned up on your device related to the company’s investigation, if they find anything incriminating on your device (i.e., child porn, piracy or any other illegal things), you will be held liable for those things they find as a separate case. If something is turned up on your personal device related to the company’s investigation, it could be permanently seized and never returned.  So, you should be aware that if you carry any device onto your company’s premises, your device can become the company’s property.

Caution is Always Wise

With the use of smart phones comes unknown liabilities when used at your place of employment. You should always treat your employer and place of business as a professional relationship. Never feel that you are ‘safe’ because you know everyone there. That doesn’t matter when legal investigations begin. If a court wants to find out everything about a situation, that could include seizing anything they feel is relevant to the investigation. That could include your phone, your home computer, your accounts or anything else that may be relevant. Your Employment Agreement may also allow your employer to seize things that they need if they feel you have violated the terms of your employment. Your employer can also petition the court to require you to relinquish your devices to the court.

Now, that doesn’t mean you won’t get your devices, computers or accounts back. But, it could take months if the investigation drags on and on. To protect your belongings from this situation, here are some …

Tips

  • Read your Employment Agreement carefully
  • Ask to strike language from Agreements that you don’t agree with
  • Make sure agreements with companies eventually expire after you leave the company
  • NDAs should expire after 5-10 years after termination
  • Non-compete agreements should expire 1 year after termination
  • Bring devices to the office that you are willing to lose
  • Use cheap dumb phones (lessens your liability)
  • Leave memory sticks and other memory devices at home
  • Don’t use personal devices for company communication (i.e., email or texting)
  • Don’t let the company pay for your personal device bills (especially post-paid cell plans)
  • Prepaid plans are your friend at your office
  • Require your employer to supply and pay for iDevices to support your job function
  • Turn WiFi off on all personal devices and never connect them to corporate networks
  • Don’t connect personal phones to corporate email systems
  • Don’t text any co-workers about company business on personal devices
  • Ask Employees to refrain from texting your personal phone
  • Use a cheap mp3 player without WiFi or internet features when at the office
  • Turn your personal cell phone off when at work, if at all possible
  • Step outside the office building to make personal calls
  • Don’t use your personal Apple ID when setting up your corporate issued iPhone
  • Create a new separate Apple ID for corporate issued iPhones
  • Don’t link iPhone or Android apps to personal accounts (LinkedIn, Facebook, etc)
  • Don’t take personal photos with a company issued phone
  • Don’t sync company issued phones with your personally owned computer
  • Don’t sync personal phones with company owned computers
  • Replace your device after leaving employment of a company

Nothing can prevent your device from being confiscated under all conditions. But, you can help reduce this outcome by following these tips and by segregating your personal devices and accounts from your work devices and work accounts. Keeping your personal devices away from your company’s property is the only real way to help prevent it from being seized. But, the company could still seize it believing that it may contain something about the company simply because you were or are an employee. Using a dumb prepaid phone is probably the only way to ensure that on seizure, you can get a phone set up and your service back quickly and with the least expense involved. I should also point out that having your phone seized does not count as being stolen, so your insurance won’t pay to replace your phone for this event.

Tagged with: , , ,

leave a comment

%d bloggers like this: